Exposed VOLUME where certs are stored

Question

Exposed VOLUME where certs are stored

julianxhokaxhiu opened this issue 7 years ago · 4 comments

Hi,

I am currently using this together with nginx-ingress controller and it works really well. Thank you very much for this project.

Although I have the need to expose certs obtained through your pod, across other pods too. In order to do so, for me would be more than enough to have the possibility to mount a volume on the host, so I can hard-link those files. Basically I need the public crt and the private key files, possibily named using the same inherited secret name through the tls declaration.

An example of this would be:

$ kubectl get secret
NAME                                           TYPE                         DATA        AGE
mydomain.com-tls                       kubernetes.io/tls                     2          22m

$ cd /mnt/certs # the mounted path
$ tree
.
├── mydomain.com-tls.crt
└── mydomain.com-tls.key

Is it possible to be done already? I checked your Dockerfile and I didn't saw any VOLUME definition, therefore I thought it's not possible. However feel free to correct me if I am wrong.

Thank you in advance,
Julian

Answer 1 · 2017-11-12T16:38:53.000Z

Hi @julianxhokaxhiu, glad to see this is working well for you.

You can just mount the generated secrets into other pods in the same way as any other secret. The Kubernetes docs here explains how to do that in more detail.

Answer 2 · 2017-11-12T16:43:32.000Z

Thank you for the suggestion @dippynark

Although I saw that already, the current issue is that I have no idea how the secret is stored internally. Is it a JSON? Is it a plain text blob? How can I recognize where the crt and where the key content is?

Any idea is highly appreciated.

Answer 3 · 2017-11-12T20:05:40.000Z

@julianxhokaxhiu kube-lego doesn't store any of the certificates in any Pod, it puts them all into Kubernetes Secret resources. Each Secret resource has two key value pairs in the data section with keys of tls.key and tls.crt with values of your key and certificate, so if you were to mount the Secret at some directory within a Pod, you'd get two files called tls.key and tls.crt containing the values you want. You can see the two values by doing kubectl get secret mydomain.com-tls -o yaml. This will return them encoded in base64 as normal. I hope that helps

Answer 4 · 2017-11-12T23:22:15.000Z

Awesome help! Thank you very much, really appreciated!