Allow to avoid certificates splitting into multiple files

[Infra-Red]

Describe the Enhancement

Currently, builpdack splits the certificate into multiple files when a .pem file contains multiple entries. I would like to introduce an option that will allow us to preserve the original .pem format and ignore splitting behavior.

Possible Solution

The proposed solution is to introduce a new environment variable BP_EMBED_CERTS_SKIP_SPLITTING which will ignore certificate splitting when supplied in the build parameters. I noticed that multi-certificates file is not supported by helper (#100) so we can always ignore BP_EMBED_CERTS_SKIP_SPLITTING value unless BP_RUNTIME_CERT_BINDING_DISABLED is set a true value.

Motivation

In my scenario, I'm using ca-certificates buildpack to only add certificates to a layer and make them available during runtime (BP_EMBED_CERTS=true and BP_RUNTIME_CERT_BINDING_DISABLED=true) which is later specified in sslrootcert PostgreSQL connection parameters. Current splitting behavior makes it difficult to execute certificate rotation as sslrootcert accepts only a single file value so preserving multiple certificates will make it easier to perform certificate rotation.

---

Please let me know if the proposed solution is fine with you. I'm going to work on PR If this is something you are ready to accept.

[dmikusa]

The ca-certificates buildpack is intended to import and format certificates in a way that OpenSSL can natively read them. Can you expand on your use case? Is your application using system certificates? or is it referencing a certificate file specifically? I'm trying to understand if you care that your certs are part of the system certificates or if you are just trying to embed certs into the container. Thanks

[Infra-Red]

Hi @dmikusa!

or if you are just trying to embed certs into the container

This ☝️ My goal is to embed the certs into a container and make them available during the runtime as my application configuration does not rely on the system keystore but reads a .pem file from the filesystem.

[dmikusa]

Hi @dmikusa!

or if you are just trying to embed certs into the container

This ☝️ My goal is to embed the certs into a container and make them available during the runtime as my application configuration does not rely on the system keystore but reads a .pem file from the filesystem.

This particular buildpack is focused on putting certs into the system cert chain. I worry that this would be getting away from that core purpose. I'm not saying we can't add this, but I'd like to explore other options first.

Is there a reason you need it in a layer or were you just using that because ca-certificates put the certs there? Could you put it in the app directory instead? Getting files into the app directory is going to be easier and they will end up in the image too.

Also, what language is your app?

Thanks

[itachigit]

Hey @dmikusa,

Also, what language is your app?

it's a Java app, we run its jar archive and we have little to no control over making a change in the archive. That's why we sought this buildpack.

were you just using that because ca-certificates put the certs there

☝️ this. We just need the .pem file as it is available in the binding, and inject it in some directory (layers directory in this case).

[dmikusa]

Sorry for the delay. One thing you might try here is to just create a small custom buildpack. The buildpack can add the cert files you need in the location you need them. You could even embed your certs into the buildpack, so the buildpack is self contained and just writes out the certs.

It might seem difficult, but you can put one together with just a couple bash scripts. There is a nice walk through available here.

You can also use an inline buildpack which will be very similar but it's placed in the application's project.toml file. It's a little less overhead, but it's a little more pain if you need to use it across multiple apps.