How do you supply your Applications with TLS Certificates centrally in Openshift?

8/29/2019

I am currently struggeling with the following tasks. I don't want to include my TLS certificates in my templates because

  1. I don't want to check in credentials in code management while still checking in the templates

  2. I am using multiple Applications with the same Certificate and I don't want to update repos just because I might distribute another certificate

Now my approach is this. I am using Jenkins for my build pipelines. I have a Repo that is used just for certificate management. It will run when updated and distribute the certificate and private key to Openshift Secrets on various clusters.

When running the Template of an application I am retrieving the Information from the secret and setting the values in the route. And here's where things get tricky. I can only use single line values because

  1. Openshift templates will not accept multiline parameters with oc process
  2. Secrets will not store multiline values

So the solution seemed to be easy. Just store the Certificate with \n and set it in the Route like this. However Openshift will not accept single line certificates resulting in the error

spec.tls.key: Invalid value: "redacted key data": tls: found a certificate rather than a key in the PEM for the private key

Now the solution could be to insert the Certificate as multiple lines directly in the template file before processing and applying it to the cluster but that seems a little bit hacky to me. So my Question is

How can you centrally manage TLS Certificates for your applications and set them correclty in the Templates you're applying?

-- relief.melone
kubernetes
openshift
ssl

2 Answers

3/12/2020

In order to centrally manage TLS Certificates for the applications, you can create a general secret and use it via volume mounting.

-- Sagar Aivale
Source: StackOverflow

8/29/2019

Secrets can be multiple lines. You can create a secret using a certificate file, and mount that secret as a file into your containers. See here for how to create secrets from files:

https://kubernetes.io/docs/concepts/configuration/secret/

Use the openshift command line tool instead of kubectl.

For certificates, there is something called cert-manager:

https://docs.cert-manager.io/en/latest/

This will generate certs as needed. You might want to take a look.

-- Burak Serdar
Source: StackOverflow