mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
84 lines
2.7 KiB
Plaintext
84 lines
2.7 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/configuring-a-custom-pki.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="certificate-injection-using-operators_{context}"]
|
|
= Certificate injection using Operators
|
|
|
|
Once your custom CA certificate is added to the cluster via ConfigMap, the
|
|
Cluster Network Operator merges the user-provided and system CA certificates
|
|
into a single bundle and injects the merged bundle into the Operator requesting
|
|
the trust bundle injection.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
After adding a `config.openshift.io/inject-trusted-cabundle="true"` label to the config map, existing data in it is deleted. The Cluster Network Operator takes ownership of a config map and only accepts `ca-bundle` as data.
|
|
You must use a separate config map to store `service-ca.crt` by using the `service.beta.openshift.io/inject-cabundle=true` annotation or a similar configuration. Adding a `config.openshift.io/inject-trusted-cabundle="true"` label and `service.beta.openshift.io/inject-cabundle=true` annotation on the same config map can cause issues.
|
|
====
|
|
|
|
Operators request this injection by creating an empty ConfigMap with the
|
|
following label:
|
|
|
|
[source,yaml]
|
|
----
|
|
config.openshift.io/inject-trusted-cabundle="true"
|
|
----
|
|
|
|
An example of the empty ConfigMap:
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
data: {}
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
config.openshift.io/inject-trusted-cabundle: "true"
|
|
name: ca-inject <1>
|
|
namespace: apache
|
|
----
|
|
<1> Specifies the empty ConfigMap name.
|
|
|
|
The Operator mounts this ConfigMap into the container's local trust store.
|
|
|
|
[NOTE]
|
|
====
|
|
Adding a trusted CA certificate is only needed if the certificate is not
|
|
included in the {op-system-first} trust bundle.
|
|
====
|
|
|
|
Certificate injection is not limited to Operators. The Cluster Network Operator
|
|
injects certificates across any namespace when an empty ConfigMap is created with the
|
|
`config.openshift.io/inject-trusted-cabundle=true` label.
|
|
|
|
The ConfigMap can reside in any namespace, but the ConfigMap must be mounted as
|
|
a volume to each container within a pod that requires a custom CA. For example:
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: my-example-custom-ca-deployment
|
|
namespace: my-example-custom-ca-ns
|
|
spec:
|
|
...
|
|
spec:
|
|
...
|
|
containers:
|
|
- name: my-container-that-needs-custom-ca
|
|
volumeMounts:
|
|
- name: trusted-ca
|
|
mountPath: /etc/pki/ca-trust/extracted/pem
|
|
readOnly: true
|
|
volumes:
|
|
- name: trusted-ca
|
|
configMap:
|
|
name: ca-inject
|
|
items:
|
|
- key: ca-bundle.crt <1>
|
|
path: tls-ca-bundle.pem <2>
|
|
----
|
|
<1> `ca-bundle.crt` is required as the ConfigMap key.
|
|
<2> `tls-ca-bundle.pem` is required as the ConfigMap path.
|