Domino checks for domino-custom-certificates ConfigMap in the Kubernetes cluster’s default namespace.
This ConfigMap must have a key named bundle with plaintext data of a certificate bundle in PEM format.
If the bundle exists, then Domino uses certificates from this bundle to connect to the external services.
Domino supports the following certificate types:
- Custom Certificate Authority (CA)
-
Certificates that certify the other certificates issued under this authority.
- Self-signed certificates
-
Certificates that do not have a reference to the authority signing them.
The bundle is formatted as a series of concatenated certificates in PEM format. You must have the line breaks around the lines:
-----BEGIN CERTIFICATE—--and
-----END CERTIFICATE—--The bundle must contain all the certificates that you would typically use to connect to the private services, including intermediate and root certificates.
Domino includes public certificates, such as DigiCert root certificates, by default so you do not have to include them. Duplicate certificates will not cause any issues.
For user executions, all Domino certificates, including public and customer-provided, will be stored in /etc/ssl/certs/domino-custom.
If you must use custom certificates in a user session, such as to connect to internal Git servers from a Workspace command line, manually reference the certificates in
/etc/ssl/certs/domino-custom.
The following are some ways that you can do this:
-
Copy the certs from
/etc/ssl/certs/domino-customto/etc/ssl/certsin a compute environment pre-run script. -
Add a Java truststore option such as:
-Djavax.net.ssl.trustStore=/etc/ssl/certs/domino-custom/cacerts.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=changeme -
Add application-specific configurations such as setting the
GIT_SSL_CAINFOvariable for Git or passing the--cacertoption for Curl.You can also set these options at runtime or modify the relevant configuration files in the compute environment.