ca-certificates
ca-certificates copied to clipboard
Allow to avoid certificates splitting into multiple files
Describe the Enhancement
Currently, builpdack splits the certificate into multiple files when a .pem
file contains multiple entries. I would like to introduce an option that will allow us to preserve the original .pem
format and ignore splitting behavior.
Possible Solution
The proposed solution is to introduce a new environment variable BP_EMBED_CERTS_SKIP_SPLITTING
which will ignore certificate splitting when supplied in the build parameters. I noticed that multi-certificates file is not supported by helper (https://github.com/paketo-buildpacks/ca-certificates/issues/100) so we can always ignore BP_EMBED_CERTS_SKIP_SPLITTING
value unless BP_RUNTIME_CERT_BINDING_DISABLED
is set a true value.
Motivation
In my scenario, I'm using ca-certificates
buildpack to only add certificates to a layer and make them available during runtime (BP_EMBED_CERTS=true
and BP_RUNTIME_CERT_BINDING_DISABLED=true
) which is later specified in sslrootcert
PostgreSQL connection parameters. Current splitting behavior makes it difficult to execute certificate rotation as sslrootcert
accepts only a single file value so preserving multiple certificates will make it easier to perform certificate rotation.
Please let me know if the proposed solution is fine with you. I'm going to work on PR If this is something you are ready to accept.