Current procedure (https://docs.onap.org/en/elalto/submodules/dcaegen2.git/docs/sections/services/dfc/certificates.html#certificates-manual-configuration-of-self-signed-certifcates) for adding new external trust anchors is transient. If pod with DFC is relocated or recreated by K8s (e.g. due to memory pressure, node gone situation or pod preemption) all changes are lost.

In current procedure there is no information about this.

To have persistent solution it is recommended to:

1. Copy existing truststore to host node:

   kubectl cp onap/{{DFC_POD_NAME}}:/opt/app/datafile/config/ftp.jks ftp.jks
   e.g.
   kubectl cp onap/dep-sb5b24dc3ec1a40ce8393d996a22bb897-dcae-datafile-6cc48fd5bsl:/opt/app/datafile/config/ftp.jks ftp.jks
   

2. Add custom trust anchor (look password in Consul):

   keytool -import -alias nokia_ftpes -keystore ftp.jks -file nokia.pem
   

3. Create secret from such file:

   kubectl create secret generic dfc-external-certs --from-file=./ftp.jks
   

4. Edit deployment to use new secret (mount it in new directory)
5. Reconfigure Consul to use new path
6. Recreate pod