I'm developing a .NET 6 application that allows the user to configure the integration with an external LDAP, possibly using SSL. I'm trying to setup a container image to distribute the application but I'm having trouble with allowing the user to inject custom certificates inside the running container without using volumes and without root privileges.
As of now I was able to achieve the expect result using volumes and root privileges:
/usr/local/share/ca-certificates containing the certificatesupdate-ca-certificatesIs it possible to allow the user to inject/provide custom certificates without using volumes (env vars maybe?) and removing root privileges in the container?
I'm also open to solutions that may imply code development on the .NET application, but from my uderstanding the .NET LDAP implementation simply lets the underlying native library handle the certificate validation. Source
I was able to achieve what I wanted without modifying any application code:
$CUSTOM_CERT_1/app/certs/custom_cert_1.cerc_rehash /app/certs since is needed for libldap to work with the custom certificatesLDAPTLS_CACERTDIR=/app/certs so that the custom certificate is picked up for LDAPS certificate validationThis way no volume and no root privileges are needed.
Final startup.sh script example:
#!/bin/sh
mkdir -p /app/certs
found_var=false
for i in $(seq 1 9); do
var_name="CUSTOM_CERT_$i"
eval var_value=\$$var_name
if [ ! -z "$var_value" ]; then
found_var=true
echo "$var_value" > /app/certs/custom_cert_$i.cer
fi
done
if [ "$found_var" = true ]; then
c_rehash /app/certs
export LDAPTLS_CACERTDIR=/app/certs
fi
dotnet MyApp.dll