Kubernetes – 创建包含SSL证书的自定义密钥(secret)

huangapple go评论63阅读模式
英文:

Kubernetes - Create custom secret holding SSL certificates

问题

在我的Kubernetes集群中,我正在运行一个用于我的项目的GitLab镜像,该镜像需要.crt和.key作为HTTPS使用的证书。我已经设置了一个Ingress资源,并使用letsencrypt-issuer成功获取了证书。但要使用这些证书,它们需要被命名为my.dns.com.crtmy.dns.com.key。因此,我手动运行了以下3个命令:

第一和第二个命令将解码后的crt/key内容写入文件,以便第三个命令可以使用这些文件来创建特定DNS名称的自定义映射。然后,在GitLab部署中,我像这样挂载gitlab-registry-certs

volumeMounts:
    - mountPath: /etc/gitlab/ssl
      name: registry-certs
volumes:
- name: registry-certs
  secret:
    secretName: gitlab-registry-certs

这一切都有效,但我希望这个过程能够自动化,因为我正在使用ArgoCD作为部署工具。我考虑过使用作业,但作业运行的是一个不允许对集群进行更改的Ubuntu版本,所以我需要在外部主机上调用一个bash脚本。如何实现这一点,因为我只能找到关于运行镜像的作业的信息,而没有找到如何执行主机命令的信息。如果有更简单的方法来使用证书,我没有看到的话,请告诉我,因为我对这种使用证书的方式感到有些奇怪,但GitLab要求使用<DNS>.crt<DNS>.key的命名约定,所以我才这样重命名。

所以问题是如何自动化这个重命名过程,以便在获取证书后但在创建部署之前,在集群生成时执行一个作业?

英文:

I have a problem. In my kubernetes cluster I am running a GitLab image for my own project. This image requires a .crt and .key as certificates for HTTPS usage. I have setup an Ingress resource with a letsencrypt-issuer, which successfully obtains the certificates. But to use those they need to be named as my.dns.com.crt and my.dns.com.key. So I manually ran the following 3 commands:

kubectl get secret project-gitlab-tls -n project-utility \
  -o jsonpath=&#39;{.data.tls\.crt}&#39; | base64 --decode &gt; /mnt/data/project/gitlab/certs/tls.crt

kubectl get secret project-gitlab-tls -n project-utility \
  -o jsonpath=&#39;{.data.tls\.key}&#39; | base64 --decode &gt; /mnt/data/project/gitlab/certs/tls.key

kubectl create secret generic gitlab-registry-certs \
  --from-file=gitlab.project.com.crt=/mnt/data/project/gitlab/certs/tls.crt \
  --from-file=gitlab.project.com.key=/mnt/data/project/gitlab/certs/tls.key \
  --namespace project-utility

The first 2 commands print the decoded crt/key content in a file, so that the third command can use those files to create a custom mapping to the specific DNS names. Then in the GitLab deployment I mount this gitlab-registry-certs like this:

volumeMounts:
    - mountPath: /etc/gitlab/ssl
      name: registry-certs
volumes:
- name: registry-certs
  secret:
    secretName: gitlab-registry-certs

This all works, but I want this process to be automated, because I am using ArgoCD as deployment tool. I thought about a job, but a job runs a ubuntu version which is not allowed to make changes to the cluster, so I need to call a bash script on the external host. How can I achieve this, because I can only find things about jobs which run an image and not how to execute host commands. If there is a way easier method to use the certificates that I am not seeing please let me know, because I kinda feel weird about this way of using the certificates, but GitLab requires the naming convention of &lt;DNS&gt;.crt and &lt;DNS&gt;.key, so thats why I am doing the remapping.

So the question is how to automate this remapping process so that on cluster generation a job will be executed after obtaining the certificates but before the deployment gets created?

答案1

得分: 2

不要再烦恼这个复杂的创建新秘密的过程了。只需在您的 volumeMounts 部分通过使用 subPath 来重命名它们:

containers:
  - ...
    volumeMounts:
      - name: registry-certs
        mountPath: /etc/gitlab/ssl/my.dns.com.crt
        subPath: tls.crt
      - name: registry-certs
        mountPath: /etc/gitlab/ssl/my.dns.com.key
        subPath: tls.key
volumes:
  - name: registry-certs
    secret:
      secretName: project-gitlab-tls

更多信息请查看文档

英文:

Why are you bothering with this complicated process of creating a new secret? Just rename them in your volumeMounts section by using a subPath:

containers:
  - ...
    volumeMounts:
      - name: registry-certs
        mountPath: /etc/gitlab/ssl/my.dns.com.crt
        subPath: tls.crt
      - name: registry-certs
        mountPath: /etc/gitlab/ssl/my.dns.com.key
        subPath: tls.key
volumes:
  - name: registry-certs
    secret:
      secretName: project-gitlab-tls

More info in the documentation.

huangapple
  • 本文由 发表于 2023年2月6日 02:18:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/75354497.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定