mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
83 lines
2.9 KiB
Plaintext
83 lines
2.9 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/certificates/service-serving-certificate.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="add-service-certificate-configmap_{context}"]
|
|
= Add the service CA bundle to a config map
|
|
|
|
A pod can access the service Certificate Authority (CA) certificate by mounting a `ConfigMap` object that has the `service.beta.openshift.io/inject-cabundle=true` annotation. After annotating the config map, the cluster automatically injects the service CA certificate into the `service-ca.crt` key on the config map. Access to this CA certificate allows TLS clients to verify connections to services by using service serving certificates.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
After adding this annotation to a config map, the OpenShift Service CA Operator deletes all the data in the config map. Consider using a separate config map to contain the `service-ca.crt`, instead of using the same config map that stores your pod configuration.
|
|
====
|
|
|
|
.Procedure
|
|
|
|
. Annotate the config map with the `service.beta.openshift.io/inject-cabundle=true` annotation by entering the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc annotate configmap <config_map_name> \//<1>
|
|
service.beta.openshift.io/inject-cabundle=true
|
|
----
|
|
<1> Replace `<config_map_name>` with the name of the config map to annotate.
|
|
+
|
|
[NOTE]
|
|
====
|
|
Explicitly referencing the `service-ca.crt` key in a volume mount prevents a pod from starting until the config map has been injected with the CA bundle. You can override this behavior by setting the `optional` parameter to `true` in the serving certificate configuration of the volume.
|
|
====
|
|
|
|
. View the config map to ensure that the service CA bundle has been injected:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get configmap <config_map_name> -o yaml
|
|
----
|
|
+
|
|
The CA bundle is displayed as the value of the `service-ca.crt` key in the YAML output:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
apiVersion: v1
|
|
data:
|
|
service-ca.crt: |
|
|
-----BEGIN CERTIFICATE-----
|
|
...
|
|
----
|
|
|
|
. Mount the config map as a volume to each container that exists in a pod by configuring your `Deployment` object.
|
|
+
|
|
.Example Deployment object that defines the volume for the mounted config map
|
|
[source,yaml]
|
|
----
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: my-example-custom-ca-deployment
|
|
namespace: my-example-custom-ca-ns
|
|
spec:
|
|
...
|
|
spec:
|
|
...
|
|
containers:
|
|
- name: my-container-that-needs-custom-ca
|
|
volumeMounts:
|
|
- name: trusted-ca
|
|
mountPath: /etc/pki/ca-trust/extracted/pem
|
|
readOnly: true
|
|
volumes:
|
|
- name: trusted-ca
|
|
configMap:
|
|
name: <config_map_name> <1>
|
|
items:
|
|
- key: ca-bundle.crt <2>
|
|
path: tls-ca-bundle.pem <3>
|
|
# ...
|
|
----
|
|
<1> Specify the name of the config map that you annotated in an earlier step of the procedure.
|
|
<2> `ca-bundle.crt` is required as the ConfigMap key.
|
|
<3> `tls-ca-bundle.pem` is required as the ConfigMap path.
|
|
|