Certificates as Kubernetes Secrets
Sometimes it is necessary to store an SSL certificate as a Kubernetes secret. The example here is to secure a third-party S3-compatible objectstore for use with Portworx.
1. Create the secret
Copy your certificate to where the
kubectl
is configured for this Kubernetes cluster. Copy theobjectstore.pem
file to the/opt/certs
folder.Create the secret:
kubectl -n kube-system create secret generic objectstore-cert --from-file=/opt/certs/
(Optional) Confirm if the secret was created correctly:
kubectl -n kube-system describe secret objectstore-cert
2. Provide secret to Portworx
Based on your Portworx installation type, provide secret to Portworx by performing one of the following steps (2a or 2b).
2a. Portworx DaemonSet
Update the Portworx DaemonSet to mount the secret and the environment variable:
kubectl -n kube-system edit ds portworx
The volumeMounts:
section in the DaemonSet will have:
volumeMounts:
- mountPath: /etc/pwx/objectstore-cert
name: objectstore-cert
The volumes:
section in the DaemonSet will have:
volumes:
- name: objectstore-cert
secret:
secretName: objectstore-cert
items:
- key: objectstore.pem
path: objectstore.pem
The env:
section in the DaemonSet will have:
env:
- name: "AWS_CA_BUNDLE"
value: "/etc/pwx/objectstore-cert/objectstore.pem"
- After saving the modified DaemonSet, Portworx will restart in a rolling update.
2b. Portworx operator
Update the Portworx
StorageCluster
to mount the secret and the environment variable:kubectl -n kube-system edit storagecluster portworx
spec: volumes: - name: objectstore-cert mountPath: /etc/pwx/objectstore-cert secret: secretName: objectstore-cert items: - key: objectstore.pem path: objectstore.pem env: - name: "AWS_CA_BUNDLE" value: "/etc/pwx/objectstore-cert/objectstore.pem"
After saving the modified
StorageCluster
, Portworx will restart in a rolling update.