How do I get a certificate/key into a container?

P

Perry The Cynic

Dabbler
Joined
Aug 15, 2023
Messages
34
I think I've figured out how to make certificates (and CAs) in TrueNAS SCALE.

Now I'm trying to figure out how to get a key and certificate I made into a container (made via the "Launch Docker Image" button). If this was plain Kubernetes, I'd just make a volume mapping that puts a secret into a file inside the container. But this is TrueNAS, and I see no facility for mapping certificates-in-TrueNAS to container files... or, for that matter, to anything else. I see the button for retrieving the generated key and certificate, but that can't be it, can it?

To make this very concrete, the "registry" container allows me to specify TLS operation by configuring a file path (inside the container) for the TLS key and certificate files. How do I make this container use a key/certificate generated in TrueNAS? (Specifically one that I obtained from Let's Encrypt's ACME service via DNS authorization.)

Apologies if this is obvious to experts. I'm new around here, so I'm still trying to find my way around...

Cheers
-- perry
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Perry The Cynic said:
I see no facility for mapping certificates-in-TrueNAS to container files
Click to expand...
I don't believe there is any such facility--TrueNAS' ACME cert feature is really only intended to obtain a cert for the NAS itself (TrueCharts at one time supported using that cert for its apps, but this is no longer the case; I don't believe this was ever supported for the "official" apps). It's possible the cert could be extracted using the API and placed into the filesystem, but I wouldn't really know where to start there. If you're wanting a cert for a container's web interface, the general way to do that is to put the container behind a reverse proxy (e.g., Traefik or Nginx Proxy Manager), and let that proxy handle TLS termination.

Otherwise, the thing to do would be to put, e.g., acme.sh somewhere on your system, use it to get the desired cert, and put that cert into whatever host path you have set up for your container.
 
P

Perry The Cynic

Dabbler
Joined
Aug 15, 2023
Messages
34
So TrueNAS SCALE really has no machinery for managing secrets for its apps? No interface to Docker secrets, no interface to Kubernetes secrets?

Is there any document out there describing how IXSystems thinks these pieces should fit together? Is that on a feature list somewhere, or are we on our own? I realize that TrueCharts has basically decided to use (their own version of) the k8s certificate manager for this...

Cheers
-- perry
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Perry The Cynic said:
Is there any document out there describing how IXSystems thinks these pieces should fit together?
Click to expand...
I haven't seen any evidence that iX has any concept of these pieces fitting together.
 
You must log in or register to reply here.

Similar threads

K
Step to deploy Minio with Certificate
Replies
1
Views
915
kelvinkoh
K
KpuCko
SOLVED What if I want to use existing CA certificate for Traefik ingress
Replies
2
Views
1K
KpuCko
KpuCko
R
How do I install packages inside app container on Scale?
Replies
2
Views
1K
chmod777
C
J
"Export certificate" option missing from CSR entry
Replies
0
Views
1K
JDLH
J
K
  • Locked
How to import a SSL certificate signed by a CA?
2
Replies
21
Views
34K
BloodThunder
B
Top