Skip to main content
Version: Release 24.3

Set up Truststore for Release

This topic illustrates on how to set up a truststore to store trusted certificates that are used to verify the identities of parties in a secure communication. Trust stores can be in various formats, supported here are Java KeyStore (JKS) and PKCS#12.

How to Set up Truststore

  1. Create a truststore with some certificates by running the following command:
keytool -import -trustcacerts -storetype pkcs12 -keystore truststore.pkcs12 \
  -storepass test123 -noprompt -file dev.digitalai.cloud.cer -alias digitalai
# check the content of the keystore
keytool -list -keystore truststore.pkcs12 -storepass test123
  1. Create a secret from the truststore file by running the following command:
kubectl create secret generic truststore.pkcs12 \
  --from-file=truststore.pkcs12 -n digitalai
  1. Update the CR file with the following configuration:

Note: pkcs12 is the default type.

Prepare patch file with reference to the just created secret:

spec:    
  truststore:
    password: "test123"
    truststore:
      valueFrom:
        secretKeyRef:
          name: truststore.pkcs12
          key: truststore.pkcs12

Check the detail documentation on each key on following release-helm-chart values 4. For Release in the digitalai namespace run the following command to patch the CR:

kubectl patch -n digitalai digitalaireleases.xlr.digital.ai dai-xlr \
  --type=merge --patch-file truststore-patch.yaml
  1. The Release pods are automatically restarted.
  2. The CR yaml file will now have a new section from the truststore-patch.yaml.
kubectl get Digitalaireleases dai-xlr -n digitalai -o yaml | yq '.spec.truststore'
  1. Release pods will have new environment variables with the javax.net.ssl setup.
bash-4.2$ echo $XL_RELEASE_SERVER_OPTS
-Djavax.net.ssl.trustStore=/opt/xebialabs/xl-release-server/truststore/truststore.pkcs12 -Djavax.net.ssl.trustStorePassword=test123 -Djavax.net.ssl.trustStoreType=pkcs12
  1. The file referenced as the truststore is in the Release pod.
bash-4.2$ ls /opt/xebialabs/xl-release-server/truststore/truststore.pkcs12
/opt/xebialabs/xl-release-server/truststore/truststore.pkcs12