Document how to configure private PKI
Opened this issue · 2 comments
I have had to do this recently and wanted to dump my notes here hoping that it will help! Some of these components are from the software factory as well.
All of the following assume you have a configmap named fizz-buzz
with a key ca.pem
Grafana
extraConfigMapMounts:
- name: ca-certs
mountPath: /etc/ssl/certs/ca-certificates.crt
configMap: fizz-buzz
readOnly: true
subPath: ca.pem
# This is from UDS, but because it was an array I needed to add it back by hand
- name: auth-generic-oauth-secret-mount
secretName: sso-client-uds-core-admin-grafana
defaultMode: 0440
mountPath: /etc/secrets/auth_generic_oauth
readOnly: true
Loki
memcachedExporter:
extraArgs:
memcached.tls.ca.crt: <path>/ca.pem
backend:
extraArgs:
- -s3.http.ca-file=<path>/ca.pem
extraVolumeMounts:
- name: ca-certs
mountPath: <path>
extraVolumes:
- name: ca-certs
configMap:
name: fizz-buzz
defaultMode: 420
read:
extraArgs:
- -s3.http.ca-file=<path>/ca.pem
extraVolumeMounts:
- name: ca-certs
mountPath: <path>
extraVolumes:
- name: ca-certs
configMap:
name: fizz-buzz
defaultMode: 420
write:
extraArgs:
- -s3.http.ca-file=<path>/ca.pem
extraVolumeMounts:
- name: ca-certs
mountPath: <path>
extraVolumes:
- name: ca-certs
configMap:
name: fizz-buzz
defaultMode: 420
Velero
extraVolumes:
- configMap:
defaultMode: 420
name: fizz-buzz
name: ca-certs
extraVolumeMounts:
- mountPath: /etc/ssl/cert.pem
name: ca-certs
subPath: ca.pem
configuration:
extraVolumes:
- configMap:
defaultMode: 420
name: fizz-buzz
name: ca-certs
extraVolumeMounts:
- mountPath: /etc/ssl/cert.pem
name: ca-certs
subPath: ca.pem
nodeAgent:
extraVolumes:
- configMap:
defaultMode: 420
name: fizz-buzz
name: ca-certs
extraVolumeMounts:
- mountPath: /etc/ssl/cert.pem
name: ca-certs
subPath: ca.pem
Gitlab-runner
runners:
config: |
[[runners]]
[[runners.kubernetes.volumes.config_map]]
name = "fizz-buzz"
mount_path = "/etc/gitlab-runner/certs"
Gitlab
FYI, There is an issue here, with this option enabled, the gitlab init container that adds these CAs to the shared mount tries to run as root and Pepr prevents that resulting in a failed init container. I had to add an exemption to make this work. There is probably a better way. /cc @mjnagel
global:
certificates:
customCAs:
- configMap: fizz-buzz
keys:
- ca.pem
Mattermost
mattermostApp:
extraVolumes:
- name: ca-certs
configMap:
name: fizz-buzz
defaultMode: 0644
extraVolumeMounts:
- name: ca-certs
mountPath: /etc/ssl/cert.pem
subPath: ca.pem
readOnly: true
I would also like to mention that I don't think this is currently supported with Keycloak. I had to make a kustomize manifest to add a volume/volumeMount and add a kc.sh command line param to point it to the ca.pem
file. I set this parameter: --truststore-paths=<path>
Edit: Put the wrong command arg there, fixed.