Add Custom Certificate to Helm Chart Instalation

Hello Hashicorp colleagues,

I’m running Vault, I really enjoy my setup. It’s deployed using helm chart on a kubernetes cluster. It works just fine.

Recently my boss asked me to test ldap connection, but I need to connect to a OpenLdap server that is signed by a certificate that vault does not trust. We have managed to get it working on all other Platform toolings (using init containers), but Vault still not an easy thing to do. I know the vault container runs alpine, but update-ca-certificate is not available.

How to add a custom root ca certificate to the the Vault pod?

The certificate bundle file is located at /etc/ssl/certs/ca-certificates.crt in many Linux distributions, including Alpine and Debian.

The default file contains the usual collection of public CAs.

You can create your own certificate bundle including your private CAs and public CAs if your Vault needs to talk to those, and have Kubernetes mount a configmap over the default /etc/ssl/certs/ directory.

Having double-checked the logic that Go uses to load default certificates:

it will also read other files besides ca-certificates.crt in /etc/ssl/certs/.