Don’t deploy your certificates with docker. That’s not to say: Don’t give your web servers running in docker certificates, but that you shouldn’t distribute certificates with your docker images. The Private Key/Certificate pair should be added at runtime. How it gets there is specific to your management framework.
To give a specific example, on Kubernetes you store your Private Key and Certificate as a secret (there’s a special “type” of secret for this, but K8s doesn’t actually treat it any differently). You then mount that certificate as a volume (in /var/run/secrets/tls, or wherever you define it), and it shows up as a normal file, accessible to whichever user your container runs as.
So for clarity then, if somebody shells into the container - at that point it's still sitting there mounted and they can read the file? Or does k8s somehow manage this in a way that only the web server process can see it? Or do we just accept that you have to treat anyone with access to kubectl as authorised to know your private cert ?
> at that point it's still sitting there mounted and they can read the file?
Yes, if someone has exec access into your container, they'll be able to see the secret, unless you do something like making the K8s secret an already encrypted blob, and then in process decrypting it again and reading it. If someone's got exec access to your container though, you've got bigger problems.
> Or do we just accept that you have to treat anyone with access to kubectl as authorised to know your private cert ?
You can set up access so that someone can login with Kubectl but still only be readonly, and you can preclude read ("get") access to secrets to the readonly role, so they won't be able to view the contents of the secret.
There’s a default “view” clusterrole (don’t let the name fool you - you can bind it in a namespace with a RoleBinding instead of ClusterRoleBinding and provide view only for that namespace) that K8s defines, that specifically excludes read permissions on secrets. Use that.
To give a specific example, on Kubernetes you store your Private Key and Certificate as a secret (there’s a special “type” of secret for this, but K8s doesn’t actually treat it any differently). You then mount that certificate as a volume (in /var/run/secrets/tls, or wherever you define it), and it shows up as a normal file, accessible to whichever user your container runs as.