Here are the steps which we need to perform to Add this certificate in trusted root CA store:

Add certificate to config map:

lets say your pem file is my-cert.pem , then

kubectl -n <namespace-for-config-map-optional> create configmap ca-pemstore — from-file=my-cert.pem

2. Mount configmap as volume to exiting CA root location of container:

mount that config map’s file as one to one file relationship in volume mount in directory /etc/ssl/certs/ as file for example

apiVersion: v1

kind: Pod

metadata:

name: cacheconnectsample

spec:

containers:

- name: cacheconnectsample

image: cacheconnectsample:v1

volumeMounts:

- name: ca-pemstore

mountPath: /etc/ssl/certs/my-cert.pem

subPath: my-cert.pem

readOnly: false

ports:

- containerPort: 80

command: [ "dotnet" ]

args: [ "cacheconnectsample.dll" ]

volumes:

- name: ca-pemstore

configMap:

name: ca-pemstore

what this will do is along with all exiting certificates in this CA root directory of pod , it will add your .pem file as well , it is partially similar to update-ca-certificates command , except that no symbolic links were created and no certificate text was appended in ca-certificates.crt , but thats file , it will still work same way an no additional changes are required.

Note : If you do not map file to file via config map but map volume to directory in yaml, then you will end up mounting config map as directory to /etc/ssl/certs/ which will add your .pem file but will wipe out all existing certificate from store .

Now , if you deploy this POD and do bash or sh into pod then :

kubectl -n <namespace-optional> exec -it <pod-name> -c <container-name-optional> bash

and try to find your certificate , you should see it :

ls /etc/ssl/certs | grep my-cert

it is good idea to see count of all certificates , just to validate that you mounted volume correctly and didn't wipe out existing certs , count should be in hundreds.

ls /etc/ssl/certs | wc -l

Now , with this changes ,we are good to go and we can now use our application in this pod which are relying on this certificate and trusted root CA will automatically take care of certificate validation.