openshift-applier icon indicating copy to clipboard operation
openshift-applier copied to clipboard
verified publisher icon redhat-cop

How to insert certificate data into a route template or param file

Open etsauer opened this issue 7 years ago • 3 comments

Having this issue with a customer trying to adopt applier. We're having trouble figuring out how to insert the certificate data with format:

-----BEGIN CERTIFICATE-----
keydata
-----END CERTIFICATE-----

Into a parameter file such that it can be processed/applied into a route template. With a secret, this is simpler, because I can base64 and pass it in as raw secret data without line breaks, but since routes don't handle it the same way, we're struggling with it.

etsauer avatar Jun 22 '18 18:06 etsauer

I've found something that works. Not sure if its the most ideal solution.

Certfile:

apiVersion: v1
kind: Template
metadata:
  creationTimestamp: null
  name: secure-route
objects:
- apiVersion: v1
  kind: Route
  metadata:
    annotations:
      openshift.io/host.generated: "true"
    creationTimestamp: null
    labels:
      app: nodejs-mongodb-example
      template: nodejs-mongodb-example
    name: nodejs-mongodb-example
  spec:
    host: nodejs-mongodb-example-sbx-esauer.apps.d1.casl.rht-labs.com
    to:
      kind: Service
      name: nodejs-mongodb-example
      weight: 100
    wildcardPolicy: None
    tls:
      termination: edge
      key: |-
        -----BEGIN PRIVATE KEY-----
        ${KEY}
        -----END PRIVATE KEY-----
      certificate: |-
        -----BEGIN CERTIFICATE-----
        ${CERTIFICATE}
        -----END CERTIFICATE-----
      caCertificate: |-
        -----BEGIN CERTIFICATE-----
        ${CA_CERTIFICATE}
        -----END CERTIFICATE-----
parameters:
- name: KEY
- name: CERTIFICATE
- name: CA_CERTIFICATE

Output cert data with no line breaks:

tr -d '\n' < src/openshift-toolkit/image-management/myorg-openjdk18/certs/myorg-rootCA.pem | sed 's/[\-]\{5\}BEGIN CERTIFICATE[\-]\{5\}//' | sed 's/[\-]\{5\}END CERTIFICATE[\-]\{5\}//'

Param file:

KEY=<key data>
CERTIFICATE=<cert data>
CA_CERTIFICATE=<ca data

etsauer avatar Jun 27 '18 19:06 etsauer

As a note for future me, this same issue is present when trying to pass the private key in via the params_from_vars on the command line.

tylerauerbeck avatar Aug 03 '18 15:08 tylerauerbeck

@tylerauerbeck we're in the process of moving towards using an operator/controller for handling of certificates, rather than an IaC approach. Basically, you apply an "empty" route with applier, annotated to indicate it is in need of a cert, and the operator comes along and fills in the cert data.

https://github.com/etsauer/cert-operator

etsauer avatar Aug 03 '18 15:08 etsauer