Certificates as Kubernetes Secrets
Sometimes it is necessary to store an SSL certificate as a Kubernetes secret. The example here is to secure a third-party S3-compatible objectstore for use with Portworx.
Creating the secret
- Copy your certificate to somewhere
kubectl
is configured for this Kubernetes cluster. We will call the fileobjectstore.pem
and copy it to the/opt/certs
folder. - Create the secret:
kubectl -n kube-system create secret generic objectstore-cert --from-file=/opt/certs/
- Confirm it was created correctly:
kubectl -n kube-system describe secret objectstore-cert
- Update the Portworx DaemonSet to add the mount secret and the environment variable:
kubectl -n kube-system edit ds portworx
The volumeMounts:
section in the daemonset will have:
volumeMounts:
- mountPath: /etc/pwx/objectstore-cert
name: objectstore-cert
The volumes:
section in the daemonset will have:
volumes:
- name: objectstore-cert
secret:
secretName: objectstore-cert
items:
- key: objectstore.pem
path: objectstore.pem
The env:
section in the daemonset will have:
env:
- name: "AWS_CA_BUNDLE"
value: "/etc/pwx/objectstore-cert/objectstore.pem"
- After saving the modified daemonset, Portworx will restart in a rolling update.
Last edited: Tuesday, Jan 26, 2021
Questions? Visit the Portworx forum.