Certificates as Kubernetes Secrets
Sometimes you need to store an SSL certificate as a Kubernetes secret. This document walks through an example of how to secure a third-party S3-compatible objectstore for use with Portworx.
Create the secret
Copy your certificate to the location where the
kubectlis configured for this Kubernetes cluster. Copy theobjectstore.pemfile to the/opt/certsfolder.Create the secret:
kubectl -n kube-system create secret generic objectstore-cert --from-file=/opt/certs/Confirm that the secret was created correctly:
kubectl -n kube-system describe secret objectstore-cert
Provide the secret to Portworx
Based on your Portworx installation type, provide the secret to Portworx by performing the steps in one of the following sections.
Portworx Operator
Update the Portworx StorageCluster to mount the secret and the environment variable:
kubectl -n kube-system edit storagecluster portworx spec:
volumes:
- name: objectstore-cert
mountPath: /etc/pwx/objectstore-cert
secret:
secretName: objectstore-cert
items:
- key: objectstore.pem
path: objectstore.pem
env:
- name: "AWS_CA_BUNDLE"
value: "/etc/pwx/objectstore-cert/objectstore.pem"After saving the modified StorageCluster, Portworx will restart in a rolling update.
Portworx DaemonSet
Update the Portworx DaemonSet to mount the secret and the environment variable:
kubectl -n kube-system edit ds portworxThe volumeMounts: section in the DaemonSet will have:
volumeMounts:
- mountPath: /etc/pwx/objectstore-cert
name: objectstore-certThe volumes: section in the DaemonSet will have:
volumes:
- name: objectstore-cert
secret:
secretName: objectstore-cert
items:
- key: objectstore.pem
path: objectstore.pemThe env: section in the DaemonSet will have:
env:
- name: "AWS_CA_BUNDLE"
value: "/etc/pwx/objectstore-cert/objectstore.pem"After saving the modified DaemonSet, Portworx will restart in a rolling update.