Self-signed certificates are common within enterprise companies. But how do you distribute them and enable their use in Kubernetes as a user and a vendor?

Alex Ellis

When Kubernetes Pods need to communicate with endpoints using self-signed or custom CA certificates, there are several approaches available for both vendors and consumers. Vendors can update application code to load custom certificate bundles (with a Go HTTP client example) or add extra volume mounts to Helm charts. Consumers can fork charts to add volumes, mirror and rebuild images with the certificate baked in (including a multi-stage Dockerfile approach for distroless/SCRATCH images using the incert tool), or use the experimental cert-manager trust-manager CSI integration. The two most practical options are rebuilding images with the cert included or mounting a volume to replace the default trust bundle, each with trade-offs in complexity and maintenance.

What if your Pods need to trust self-signed certificates?