Certificates as Kubernetes Secrets in airgapped EKS
Sometimes you need to store an SSL certificate as a Kubernetes secret. This document walks through an example of how to secure a third-party S3-compatible objectstore for use with Portworx.
Create the secret
-
Copy your certificate to the location where the
kubectl
is configured for this Kubernetes cluster. Copy thepublic.crt
file to the/opt/certs
folder. -
Create the secret:
kubectl -n kube-system create secret generic px-s3-certs --from-file=/opt/certs/
-
Confirm that the secret was created correctly:
kubectl -n kube-system describe secret px-s3-certs
Provide the secret to Portworx
Based on your Portworx installation type, provide the secret to Portworx by performing the steps in one of the following sections.
Portworx Operator
Update the Portworx StorageCluster
to mount the secret and the environment variable:
kubectl -n kube-system edit storagecluster portworx
spec:
volumes:
- name: objectstore-cert
mountPath: /etc/pwx/objectstore-cert
secret:
secretName: px-s3-certs
items:
- key: public.crt
path: public.crt
env:
- name: "AWS_CA_BUNDLE"
value: "/etc/pwx/objectstore-cert/public.crt"
After saving the modified StorageCluster
, Portworx will restart in a rolling update.