I am using a ssl certificate while building the docker image to communicate with other different services with in the Kubernetes. right now I have the ssl certificate in my repo and will be published as part of the artifact. we are planning to move the cert to key vault and fetch it while executing our pipeline. I am not sure how can I fetch it while building the docker image. I have tried the default azure key vault task and I am able to get the cert but its not a file(.crt or pfx).
Below is my final step in Docker Image
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
COPY $(ps-test-cert) /usr/local/share/ca-certificates/ps-test-cert
RUN chmod 644 /usr/local/share/ca-certificates/ps-test-cert
RUN update-ca-certificates
ENTRYPOINT ["dotnet", "Logging.API.dll"]
and the cert name in the key vault is ps-test-cert
Here is my key vault task
- task: AzureKeyVault@1
inputs:
azureSubscription: 'ARMDeployment-Service-Conn'
KeyVaultName: 'OneK-KeyVault'
SecretsFilter: 'ps-test-cert'
RunAsPreJob: false
Do I have to get the cert and publish as artifact? since I need this in the build time not sure how should I import the cert so that I can use.
Update
I am able to get the certificate using azure cli with the below command. but I am not sure how will I use that inside docker file.When I publish I can see that the certificate is there in the published items.
> az keyvault certificate download --vault-name one-KeyVault -n
> ps-test-cert -f cert.pem openssl x509 -outform der -in cert.pem -out
> ps-test-cert.crt
in the publish task, I can use it like this.
- task: PublishPipelineArtifact@1
displayName: 'Publish Pipeline Artifact'
inputs:
targetPath: 'ps-test-cert.crt'
artifact: test
How can I use it in docker file?
Okay, Here is How I solved my current scenario. as updated in the question I was able to read the certificate from key vault. next piece was to access the cert within the docker file, since docker doesn't know the location(because its not part of the context), Its not able to read the cert. so, what I have done is used a copy task to add the cert to the source directory when docker context is set. then docker is able to see the certificate and access is(because its now in docker context).
below are the copy task, if that helps.
- task: CopyFiles@2
displayName: 'Copy Files to: $(Build.ArtifactStagingDirectory)'
inputs:
Contents: |
**\ps-test-cert.crt
TargetFolder: '$(Build.SourcesDirectory)/Source/Logging.API/'
and in the docker file, I just have to use the name because its available inthe context.
COPY ps-test-cert.crt /usr/local/share/ca-certificates/ps-test-cert.crt
RUN chmod 644 /usr/local/share/ca-certificates/ps-test-cert.crt
RUN update-ca-certificates