5c1537e2f2
Change-Id: Id97ddaf64057edb0f9b6a8f19c1f05265a2e3ce3 Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
4.9 KiB
Internal CA and NodePort Example
This section provides an example of how to configure an application to use NodePort to expose its self-managed -based service and to use an Internal for signing CERTIFICATEs.
Note that alternatively an External could be used with a NodePort-based solution as well.
This example requires that:
- Ensure that your administrator has enabled use of the cert-manager apiGroups in your policies.
Create an internal RootCA ISSUER in the default namespace by applying the following manifest file.
# Create a cluster-wide ISSUER for create self-signed certificates --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: system-selfsigning-issuer spec: selfSigned: {} # Create a Certificate (and key) for my RootCA --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: abccompany-starlingx-rootca-certificate spec: secretName: abccompany-starlingx-rootca-certificate duration: 8640h commonName: "abccompany-starlingx-rootca" isCA: true issuerRef: name: system-selfsigning-issuer kind: ClusterIssuer # Create the RootCA ISSUER --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: abccompany-starlingx-rootca-issuer spec: ca: secretName: abccompany-starlingx-rootca-certificateShare the public certificate of your internal RootCA to clients such that they can trust certificates signed by this RootCA.
CERT64=`kubectl get secret abccompany-starlingx-rootca-certificate -n default -o yaml | fgrep tls.crt | fgrep -v "f:tls.crt" | awk '{print $2}'` echo $CERT64 | base64 --decode > abccompany-starlingx-rootca-certificate.pemCreate a deployment of an example demo application that uses NodePort to expose its service and therefore manages its connection on its own, using a certificate it creates on its own.
Apply the following manifest.
Where
10.10.10.45is the Floating IP of the andabccompany-starlingx.mycompany.comis the for this address.(You should substitute with the IP Address and for the installation.)
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: abccompany-starlingx.mycompany.com-certificate spec: duration: 2160h # 90d renewBefore: 360h # 15d secretName: abccompany-starlingx.mycompany.com-certificate issuerRef: name: abccompany-starlingx-rootca-issuer kind: Issuer commonName: abccompany-starlingx.mycompany.com dnsNames: - abccompany-starlingx.mycompany.com ipAddresses: - 10.10.10.45 --- apiVersion: apps/v1 kind: Deployment metadata: name: example-app spec: replicas: 1 selector: matchLabels: app: example-app template: metadata: labels: app: example-app spec: containers: - name: example-app image: example-app # not a real app, could substitute ‘busybox’ here to look at mounted cert files inside container imagePullPolicy: Always ports: - containerPort: 8443 protocol: TCP volumeMounts: - name: mycert mountPath: "/etc/mycert" # the files tls.crt, tls.key and ca.crt will be under /etc/mycert/ in container readOnly: true volumes: - name: mycert secret: secretName: abccompany-starlingx.mycompany.com-certificate --- apiVersion: v1 kind: Service metadata: name: example-app labels: app: example-app spec: type: NodePort ports: - port: 443 protocol: TCP targetPort: 8443 nodePort: 31118 selector: app: example-appIf example-app existed, you would access it from your browser with
https://abccompany-starlingx.mycompany.com:31118.If you are using busybox to look at mounted cert files, attach to container (e.g.
kubectl exec busybox-... -it -- shandcd /etc/mycert; ls).