英文:
Kubernetes - Create custom secret holding SSL certificates
问题
在我的Kubernetes集群中,我正在运行一个用于我的项目的GitLab镜像,该镜像需要.crt和.key作为HTTPS使用的证书。我已经设置了一个Ingress资源,并使用letsencrypt-issuer成功获取了证书。但要使用这些证书,它们需要被命名为my.dns.com.crt和my.dns.com.key。因此,我手动运行了以下3个命令:
第一和第二个命令将解码后的crt/key内容写入文件,以便第三个命令可以使用这些文件来创建特定DNS名称的自定义映射。然后,在GitLab部署中,我像这样挂载gitlab-registry-certs:
volumeMounts:
- mountPath: /etc/gitlab/ssl
name: registry-certs
volumes:
- name: registry-certs
secret:
secretName: gitlab-registry-certs
这一切都有效,但我希望这个过程能够自动化,因为我正在使用ArgoCD作为部署工具。我考虑过使用作业,但作业运行的是一个不允许对集群进行更改的Ubuntu版本,所以我需要在外部主机上调用一个bash脚本。如何实现这一点,因为我只能找到关于运行镜像的作业的信息,而没有找到如何执行主机命令的信息。如果有更简单的方法来使用证书,我没有看到的话,请告诉我,因为我对这种使用证书的方式感到有些奇怪,但GitLab要求使用<DNS>.crt和<DNS>.key的命名约定,所以我才这样重命名。
所以问题是如何自动化这个重命名过程,以便在获取证书后但在创建部署之前,在集群生成时执行一个作业?
英文:
I have a problem. In my kubernetes cluster I am running a GitLab image for my own project. This image requires a .crt and .key as certificates for HTTPS usage. I have setup an Ingress resource with a letsencrypt-issuer, which successfully obtains the certificates. But to use those they need to be named as my.dns.com.crt and my.dns.com.key. So I manually ran the following 3 commands:
kubectl get secret project-gitlab-tls -n project-utility \
-o jsonpath='{.data.tls\.crt}' | base64 --decode > /mnt/data/project/gitlab/certs/tls.crt
kubectl get secret project-gitlab-tls -n project-utility \
-o jsonpath='{.data.tls\.key}' | base64 --decode > /mnt/data/project/gitlab/certs/tls.key
kubectl create secret generic gitlab-registry-certs \
--from-file=gitlab.project.com.crt=/mnt/data/project/gitlab/certs/tls.crt \
--from-file=gitlab.project.com.key=/mnt/data/project/gitlab/certs/tls.key \
--namespace project-utility
The first 2 commands print the decoded crt/key content in a file, so that the third command can use those files to create a custom mapping to the specific DNS names. Then in the GitLab deployment I mount this gitlab-registry-certs like this:
volumeMounts:
- mountPath: /etc/gitlab/ssl
name: registry-certs
volumes:
- name: registry-certs
secret:
secretName: gitlab-registry-certs
This all works, but I want this process to be automated, because I am using ArgoCD as deployment tool. I thought about a job, but a job runs a ubuntu version which is not allowed to make changes to the cluster, so I need to call a bash script on the external host. How can I achieve this, because I can only find things about jobs which run an image and not how to execute host commands. If there is a way easier method to use the certificates that I am not seeing please let me know, because I kinda feel weird about this way of using the certificates, but GitLab requires the naming convention of <DNS>.crt and <DNS>.key, so thats why I am doing the remapping.
So the question is how to automate this remapping process so that on cluster generation a job will be executed after obtaining the certificates but before the deployment gets created?
答案1
得分: 2
不要再烦恼这个复杂的创建新秘密的过程了。只需在您的 volumeMounts 部分通过使用 subPath 来重命名它们:
containers:
- ...
volumeMounts:
- name: registry-certs
mountPath: /etc/gitlab/ssl/my.dns.com.crt
subPath: tls.crt
- name: registry-certs
mountPath: /etc/gitlab/ssl/my.dns.com.key
subPath: tls.key
volumes:
- name: registry-certs
secret:
secretName: project-gitlab-tls
更多信息请查看文档。
英文:
Why are you bothering with this complicated process of creating a new secret? Just rename them in your volumeMounts section by using a subPath:
containers:
- ...
volumeMounts:
- name: registry-certs
mountPath: /etc/gitlab/ssl/my.dns.com.crt
subPath: tls.crt
- name: registry-certs
mountPath: /etc/gitlab/ssl/my.dns.com.key
subPath: tls.key
volumes:
- name: registry-certs
secret:
secretName: project-gitlab-tls
More info in the documentation.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论