K
Q

Is it possible to use PodPresets in OpenShift 3.11 (3.7+)?

7/18/2019

I've installed an OpenShift cluster for testing purposes, and since I'm behind a corporate network, I need to include some Root Certificates in any Pod that wants to make external requests. What can I do to inject those certificates automatically at Pod creation?

I'm running OpenShift Origin (OKD) 3.11 in a local CentOS 7 VM, with a GlusterFS storage provisioning on top of it. I already had multiple issues with the VM itself, which gave me errors when trying to access the network: x509: certificate signed by unknown authority. I fixed that by adding my corporation root certificates in /etc/pki/ca-trust/source/anchors and by running the update-ca-trust command.

When I was running for example the docker-registry deployment in the OpenShift cluster, since the created Pods didn't have access to the host root certificates, they gave again x509: certificate signed by unknown authority errors when trying to pull images from docker.io. I resolved that by creating a ConfigMap containing all needed root certificates, and mounting them in a volume on the registry deployment config.

I thought I only needed to mount a volume in all deployment configs which want to request the external network. But then I provisioned a Jenkins instance and I realised something new: When a pipeline runs, Jenkins creates a Pod with an adapted agent (example: a Spring Boot app will need a Maven agent). Since I have no control to those created pods, they can't have the mounted volume with all root certificates. So for instance I have a pipeline that runs helm init --client-only before releasing my app chart, and this command gives a x509: certificate signed by unknown authority error, because this pod hasn't the root certificates.

x509 Error screenshot

I found that a PodPreset could be the perfect way to resolve my problem, but when I enable this feature in the cluster and create the PodPreset, no new pod is populated. I read on the OpenShift documentation that PodPresets are no longer supported as of 3.7, so I think that it could be the reason it is not working.

OpenShift docs screenshot

Here is my PodPreset definition file:

kind: PodPreset
apiVersion: settings.k8s.io/v1alpha1
metadata:
  name: inject-certs
spec:
  selector: {}
  volumeMounts:
    - mountPath: /etc/ssl/certs/cert1.pem
      name: ca
      subPath: cert1.pem
    - mountPath: /etc/ssl/certs/cert2.pem
      name: ca
      subPath: cert2.pem
    - mountPath: /etc/ssl/certs/cert3.pem
      name: ca
      subPath: cert3.pem
    - mountPath: /etc/ssl/certs/cert4.pem
      name: ca
      subPath: cert4.pem
    - mountPath: /etc/ssl/certs/cert5.pem
      name: ca
      subPath: cert5.pem
    - mountPath: /etc/ssl/certs/cert6.pem
      name: ca
      subPath: cert6.pem
  volumes:
    - configMap:
        defaultMode: 420
        name: ca-pemstore
      name: ca

I don't know if there is any way to make PodPresets work on OpenShift 3.11, or if there is another solution to inject certs file like this in created pods. This would be really great.

-- Jeremi
kubernetes
kubernetes-pod
okd
openshift
ssl

Similar Questions

Kubernetes sizing consideration
sudo: eval: command not found
Azure Service Bus Message Subscription stops working after container restart
How do I connect to a remote mysql kubernetes pod using mysql client
Pilosa k8s pod crashloopbackoff with error "server : executable file not found in $PATH"
How can I pull a docker image in a Kubernetes cluster from a private registry behind a ssh connection
How to manage linux users with Kubernetes?

1 Answer

11/6/2019

The RedHat COP on GitHub contains a project with a podpresent admission webhook controller you can use: https://github.com/redhat-cop/podpreset-webhook

basically you deploy that project and change the apiVersion in your PodPresent to apiVersion: redhatcop.redhat.io/v1alpha1

-- Philipp Heuer
Source: StackOverflow