How to insert certificate data into a route template or param file
Having this issue with a customer trying to adopt applier. We're having trouble figuring out how to insert the certificate data with format:
-----BEGIN CERTIFICATE-----
keydata
-----END CERTIFICATE-----
Into a parameter file such that it can be processed/applied into a route template. With a secret, this is simpler, because I can base64 and pass it in as raw secret data without line breaks, but since routes don't handle it the same way, we're struggling with it.
I've found something that works. Not sure if its the most ideal solution.
Certfile:
apiVersion: v1
kind: Template
metadata:
creationTimestamp: null
name: secure-route
objects:
- apiVersion: v1
kind: Route
metadata:
annotations:
openshift.io/host.generated: "true"
creationTimestamp: null
labels:
app: nodejs-mongodb-example
template: nodejs-mongodb-example
name: nodejs-mongodb-example
spec:
host: nodejs-mongodb-example-sbx-esauer.apps.d1.casl.rht-labs.com
to:
kind: Service
name: nodejs-mongodb-example
weight: 100
wildcardPolicy: None
tls:
termination: edge
key: |-
-----BEGIN PRIVATE KEY-----
${KEY}
-----END PRIVATE KEY-----
certificate: |-
-----BEGIN CERTIFICATE-----
${CERTIFICATE}
-----END CERTIFICATE-----
caCertificate: |-
-----BEGIN CERTIFICATE-----
${CA_CERTIFICATE}
-----END CERTIFICATE-----
parameters:
- name: KEY
- name: CERTIFICATE
- name: CA_CERTIFICATE
Output cert data with no line breaks:
tr -d '\n' < src/openshift-toolkit/image-management/myorg-openjdk18/certs/myorg-rootCA.pem | sed 's/[\-]\{5\}BEGIN CERTIFICATE[\-]\{5\}//' | sed 's/[\-]\{5\}END CERTIFICATE[\-]\{5\}//'
Param file:
KEY=<key data>
CERTIFICATE=<cert data>
CA_CERTIFICATE=<ca data
As a note for future me, this same issue is present when trying to pass the private key in via the params_from_vars on the command line.
@tylerauerbeck we're in the process of moving towards using an operator/controller for handling of certificates, rather than an IaC approach. Basically, you apply an "empty" route with applier, annotated to indicate it is in need of a cert, and the operator comes along and fills in the cert data.
https://github.com/etsauer/cert-operator