mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
88 lines
2.8 KiB
Plaintext
88 lines
2.8 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/configuring-a-custom-pki.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="certificate-injection-using-operators_{context}"]
|
|
= Certificate injection using Operators
|
|
|
|
[role="_abstract"]
|
|
In {product-title}, certificate injection using Operators merges your custom Certificate Authorities (CAs) with system certificates and injects the merged bundle into Operators that request it. You can use this feature so your Operators trust custom certificates without requiring manual certificate bundle management.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
After adding a `config.openshift.io/inject-trusted-cabundle="true"` label to the config map, existing data in it is deleted. The Cluster Network Operator takes ownership of a config map and only accepts `ca-bundle` as data.
|
|
You must use a separate config map to store `service-ca.crt` by using the `service.beta.openshift.io/inject-cabundle=true` annotation or a similar configuration. Adding a `config.openshift.io/inject-trusted-cabundle="true"` label and `service.beta.openshift.io/inject-cabundle=true` annotation on the same config map can cause issues.
|
|
====
|
|
|
|
Operators request this injection by creating an empty ConfigMap with the
|
|
following label:
|
|
|
|
[source,yaml]
|
|
----
|
|
config.openshift.io/inject-trusted-cabundle="true"
|
|
----
|
|
|
|
An example of the empty ConfigMap:
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
data: {}
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
config.openshift.io/inject-trusted-cabundle: "true"
|
|
name: ca-inject
|
|
namespace: apache
|
|
----
|
|
where:
|
|
--
|
|
`metadata.name`:: Specifies the empty ConfigMap name.
|
|
--
|
|
|
|
The Operator mounts this ConfigMap into the container's local trust store.
|
|
|
|
[NOTE]
|
|
====
|
|
Adding a trusted CA certificate is only needed if the certificate is not
|
|
included in the {op-system-first} trust bundle.
|
|
====
|
|
|
|
Certificate injection is not limited to Operators. The Cluster Network Operator
|
|
injects certificates across any namespace when an empty ConfigMap is created with the
|
|
`config.openshift.io/inject-trusted-cabundle=true` label.
|
|
|
|
The ConfigMap can reside in any namespace, but the ConfigMap must be mounted as
|
|
a volume to each container within a pod that requires a custom CA. For example:
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: my-example-custom-ca-deployment
|
|
namespace: my-example-custom-ca-ns
|
|
spec:
|
|
...
|
|
spec:
|
|
...
|
|
containers:
|
|
- name: my-container-that-needs-custom-ca
|
|
volumeMounts:
|
|
- name: trusted-ca
|
|
mountPath: /etc/pki/ca-trust/extracted/pem
|
|
readOnly: true
|
|
volumes:
|
|
- name: trusted-ca
|
|
configMap:
|
|
name: ca-inject
|
|
items:
|
|
- key: ca-bundle.crt
|
|
path: tls-ca-bundle.pem
|
|
----
|
|
|
|
where:
|
|
--
|
|
`volumes.items.key`:: Specifies the ConfigMap key.
|
|
`volumes.items.path`:: Specifies the ConfigMap path.
|
|
-- |