Home > Enterprise >  Kubernetes - Create custom secret holding SSL certificates
Kubernetes - Create custom secret holding SSL certificates

Time:02-06

I have a problem. In my kubernetes cluster I am running a GitLab image for my own project. This image requires a .crt and .key as certificates for HTTPS usage. I have setup an Ingress resource with a letsencrypt-issuer, which successfully obtains the certificates. But to use those they need to be named as my.dns.com.crt and my.dns.com.key. So I manually ran the following 3 commands:

kubectl get secret project-gitlab-tls -n project-utility \
  -o jsonpath='{.data.tls\.crt}' | base64 --decode > /mnt/data/project/gitlab/certs/tls.crt

kubectl get secret project-gitlab-tls -n project-utility \
  -o jsonpath='{.data.tls\.key}' | base64 --decode > /mnt/data/project/gitlab/certs/tls.key

kubectl create secret generic gitlab-registry-certs \
  --from-file=gitlab.project.com.crt=/mnt/data/project/gitlab/certs/tls.crt \
  --from-file=gitlab.project.com.key=/mnt/data/project/gitlab/certs/tls.key \
  --namespace project-utility

The first 2 commands print the decoded crt/key content in a file, so that the third command can use those files to create a custom mapping to the specific DNS names. Then in the GitLab deployment I mount this gitlab-registry-certs like this:

volumeMounts:
    - mountPath: /etc/gitlab/ssl
      name: registry-certs
volumes:
- name: registry-certs
  secret:
    secretName: gitlab-registry-certs

This all works, but I want this process to be automated, because I am using ArgoCD as deployment tool. I thought about a job, but a job runs a ubuntu version which is not allowed to make changes to the cluster, so I need to call a bash script on the external host. How can I achieve this, because I can only find things about jobs which run an image and not how to execute host commands. If there is a way easier method to use the certificates that I am not seeing please let me know, because I kinda feel weird about this way of using the certificates, but GitLab requires the naming convention of <DNS>.crt and <DNS>.key, so thats why I am doing the remapping.

So the question is how to automate this remapping process so that on cluster generation a job will be executed after obtaining the certificates but before the deployment gets created?

CodePudding user response:

Why are you bothering with this complicated process of creating a new secret? Just rename them in your volumeMounts section by using a subPath:

containers:
  - ...
    volumeMounts:
      - name: registry-certs
        mountPath: /etc/gitlab/ssl/my.dns.com.crt
        subPath: tls.crt
      - name: registry-certs
        mountPath: /etc/gitlab/ssl/my.dns.com.key
        subPath: tls.key
volumes:
  - name: registry-certs
    secret:
      secretName: project-gitlab-tls

More info in the documentation.

Page link:https//www.codepudding.com/Enterprise/693916.html

Prev:How to make Delphi call correct constructor during dynamic creating?
Next:Python3 -- Function similar to win32api.SetConsoleCtrlHandler() that works in PowerShell
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding