ca-certificates icon indicating copy to clipboard operation
ca-certificates copied to clipboard

Published 20 hours ago verified publisher icon paketo-buildpacks

Allow to avoid certificates splitting into multiple files

Open Infra-Red opened this issue 7 months ago • 8 comments

Describe the Enhancement

Currently, builpdack splits the certificate into multiple files when a .pem file contains multiple entries. I would like to introduce an option that will allow us to preserve the original .pem format and ignore splitting behavior.

Possible Solution

The proposed solution is to introduce a new environment variable BP_EMBED_CERTS_SKIP_SPLITTING which will ignore certificate splitting when supplied in the build parameters. I noticed that multi-certificates file is not supported by helper (https://github.com/paketo-buildpacks/ca-certificates/issues/100) so we can always ignore BP_EMBED_CERTS_SKIP_SPLITTING value unless BP_RUNTIME_CERT_BINDING_DISABLED is set a true value.

Motivation

In my scenario, I'm using ca-certificates buildpack to only add certificates to a layer and make them available during runtime (BP_EMBED_CERTS=true and BP_RUNTIME_CERT_BINDING_DISABLED=true) which is later specified in sslrootcert PostgreSQL connection parameters. Current splitting behavior makes it difficult to execute certificate rotation as sslrootcert accepts only a single file value so preserving multiple certificates will make it easier to perform certificate rotation.

Please let me know if the proposed solution is fine with you. I'm going to work on PR If this is something you are ready to accept.

Infra-Red avatar Jan 03 '24 18:01 Infra-Red