Skip to main content
Version: Deploy 24.1

Set up Truststore for Deploy

This topic illustrates on how to set up a truststore to store trusted certificates that are used to verify the identities of parties in a secure communication. Trust stores can be in various formats, supported here are Java KeyStore (JKS) and PKCS#12.

How to Set up Truststore

  1. Create a truststore with some certificates by running the following command:
keytool -import -trustcacerts -storetype pkcs12 -keystore truststore.pkcs12 \
  -storepass test123 -noprompt -file dev.digitalai.cloud.cer -alias digitalai
# check the content of the keystore
keytool -list -keystore truststore.pkcs12 -storepass test123
  1. Create a secret from the truststore file by running the following command:
kubectl create secret generic truststore.pkcs12 \
  --from-file=truststore.pkcs12 -n digitalai
  1. Update the CR file with the following configuration:

Note: pkcs12 is the default type.

Prepare patch file with reference to the just created secret:

spec:    
  truststore:
    password: "test123"
    truststore:
      valueFrom:
        secretKeyRef:
          name: truststore.pkcs12
          key: truststore.pkcs12

Check the detail documentation on each key on following deploy-helm-chart values. 4. For Deploy in the digitalai namespace, run the following command to patch the CR:

kubectl patch -n digitalai digitalaideploys.xld.digital.ai dai-xld \
  --type=merge --patch-file truststore-patch.yaml
  1. To apply the changes, restart the Deploy pods.
kubectl delete sts dai-xld-digitalai-deploy-master -n digitalai
kubectl delete sts dai-xld-digitalai-deploy-worker -n digitalai
  1. The CR yaml file will now have a new section from the truststore-patch.yaml.
kubectl get Digitalaideploys dai-xld -n digitalai -o yaml | yq '.spec.truststore'
  1. The Master and Worker pods will have new environment variables with the javax.net.ssl setup.
bash-4.2$ echo $DEPLOYIT_SERVER_OPTS_EXT
-Djavax.net.ssl.trustStore=/opt/xebialabs/xl-deploy-server/truststore/truststore.pkcs12 -Djavax.net.ssl.trustStorePassword=test123 -Djavax.net.ssl.trustStoreType=pkcs12
  1. The file referenced as the truststore is in the Master and Worker pod.
bash-4.2$ ls /opt/xebialabs/xl-deploy-server/truststore/truststore.pkcs12
/opt/xebialabs/xl-deploy-server/truststore/truststore.pkcs12