Update DoD Approved External PKI Certificate Trust Chains to Version 9.5
Per https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/blob/main/chart/bigbang/README.md version 9.0 of the trust chains is currently included.
Version 9.5 is now available from https://public.cyber.mil/pki-pke/pkipke-document-library/:
https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-dod_approved_external_pkis_trust_chains.zip
DEVELOPER INSTRUCTIONS:
- Download and extract the DoD CAs to this directory
https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/tree/main/chart/bigbang/DoD_CA_certs - Then insure that there is a secret created for each sub-directory of certs. The CA certs are broken into separate secrets to avoid he potential of passing the k8s 1 Mb size limit.
https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/blob/main/chart/templates/bigbang/secrets/DoD_CA_certs.yaml - Then sync the secret names in the Gitlab values file .Values.certificates.customCAs
There might be some miss-formatted/invalid certs that need to be deleted. They will be revealed by testing a Gitlab deployment with the new CA certs.
Keycloak creates a consolidated dod_cas.pem file but without the email and software certs. This might be of interest for side-study.
https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/blob/main/scripts/certs/
Edited by kevin.wilder