Root CA Certificates
To install a root certificate into your container built using ko
, you can use one of the following methods.
incert
incert
allows you to append CA certificates to an image and push the modified image to a specified registry.
incert
can be run after ko build
to build your Go application container image with custom root CA certificates.
Example
-
Build and push your Go application container image using
ko build
-
Append the built image with your custom CA certificate(s) using
incert
Custom Base Image
New root certificates can be installed into a custom image using standard OS packages. Then, this custom image can be used to override the base image for ko
. Once the Go application container image is built using ko
with the custom base image, the root certificates installed on the base image will be trusted by the Go application.
Example
-
Make a custom container image with your new root certificates
-
Build and push the custom container image to a container registry
-
Configure
ko
to override the default base image with the custom imageOR
-
Build the Go app container image with
ko
Static Assets
Alternatively, root certificates can be installed into the Go application container image using a combination of ko
static assets and overriding the default system location for SSL certificates.
Using ko
's support for static assets, root certificates can be stored in the <importpath>/kodata
directory (either checked into the repository, or injected dynamically by a CI pipeline). After running ko build
, the certificate files are then bundled into the built image at the path $KO_DATA_PATH
.
To enable the Go application to trust the bundled certificate(s), the container runtime or orchestrator (Docker, Kubernetes, etc) must set the environment variable SSL_CERT_DIR
to the same value as KO_DATA_PATH
. Go uses SSL_CERT_DIR
to determine the directory to check for SSL certificate files. Once this variable is set, the Go application will trust the bundled root certificates in $KO_DATA_PATH
.
Example
-
Copy the root certificate(s) to the
<importpath>/kodata/
directory -
Build the Go application container image
-
Run the Go application container image with
SSL_CERT_DIR
equal to/var/run/ko
(the default value for$KO_DATA_PATH
)
A functional client-server example for this can be seen here.