How to load kubernetes ca certs from a native executable?

[etsauer]

I'm having trouble figuring out if its possible for a native executable to load a CA certificate from a kubernetes pod.

I noticed the issue here, #9713, and the resulting document https://quarkus.io/guides/native-and-ssl#build-time-configuration. In the Build Time Configuration section, it does seem to imply that configuring TLS certs at build time is not ideal in certain scenarios, and specifically calls out wanting to dynamically load kubernetes certs from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, which seems to imply there must be a way to do it, but then in the Runtime Configuration section, the docs are quite sparse.

[quarkus-bot[bot]]

/cc @geoand (kubernetes), @iocanel (kubernetes)

[TartanLeGrand]

I'm running a Quarkus native application in Kubernetes (built with GraalVM >21 and JDK 21) and want to inject internal PEM certificates at runtime via mounted Secrets—without baking them into the image or converting them to PKCS12.

Currently, outbound SSL connections ignore certificates provided at runtime.

Questions:

• How can I configure my Quarkus native executable to load PEM certificates dynamically at runtime?
• Are there recommended configurations or workarounds for this scenario?

Any guidance is appreciated.

[cescoffier]

See https://quarkus.io/guides/tls-registry-reference#using-kubernetes-secrets.