K
Q

Mounting client.crt, client.key, ca.crt with a service-account or otherwise?

7/18/2017

Has anyone used service-accounts to mount ssl certificates to access the aws cluster from within a running job before? How do we do this? I created the job and this is the from the the output of the failing container which is causing the Pod to be in error state.

Error in configuration:
* unable to read client-cert /client.crt for test-user due to open /client.crt: no such file or directory
* unable to read client-key /client.key for test-user due to open /client.key: no such file or directory
* unable to read certificate-authority /ca.crt for test-cluster due to open /ca.crt: no such file or director
-- phpnovice
e2e-testing
kubernetes
kubernetes-security

Similar Questions

Unable to set Kubernete cluster
Kubernetes: Configure Deployment to mount directory from local Kubernetes host?
Kubernetes Communication between Frontend and Backend
How can I unset an environment variable in Kubernetes?

1 Answer

7/19/2017

The solution is to create a Secret containing the certs, and then getting the job to reference it.

Step 1. Create secret:

kubectl create secret generic job-certs --from-file=client.crt --from-file=client.key --from-file=ca.crt

Step 2. Reference secret in job's manifest. You have to insert the volumes and volumeMounts in the job.

spec:
  volumes:
  - name: ssl
    secret:
      secretName: job-certs
  containers:
    volumeMounts:
    - mountPath: "/etc/ssl"
      name: "ssl"
-- Eugene Chow
Source: StackOverflow