Adding the local CA cert to the OS trust store

[frippe75]

I've deployed vault using helm. Configured it to be my local CA for example.com.
Configued cert-manager to use a vault-issuer
Deployed keycloak with certs from Vault CA (keycloak.example.com).---

Configured keycloak to allow OIDC client from vault.

But when onboarding vault.example.com as OIDC client against keycloak.example.com.
It does not trust the cert of keycloak. One it issued itself :-)

So cannot do...

vault write auth/oidc/config \
  oidc_discovery_url="https://keycloak.example.com/realms/example-com" \
  oidc_client_id="vault-client" \
  oidc_client_secret="************'" \
  default_role="default" \
  oidc_discovery_ca_pem="/tmp/vault-ca-root.pem"

Using curl outside the pod where the vault CA cert has been added to the linux tls trust store the discovery url works just fine.
Installed nc in the vault pod and I can reach the keycloak url from there...

[frippe75]

2024-09-04T12:37:53.758Z [ERROR] auth.oidc.auth_oidc_123b42f5: error checking oidc discovery URL: error="error creating provider with given values: NewProvider: unable to create provider: Get \"https://keycloak.example.com/realms/example-com/.well-known/openid-configuration/\": tls: failed to verify certificate: x509: certificate signed by unknown authority"