4

I am looking to know (and how to do it), to create a secured (tls) route in OpenShift from a Secret that would contain my cert and key(or JAVA keystore) or 2 secret (1 with certificat, another with key) so that I do not need to write both of them in a ''route.yaml'' file directly but only refer to them......

UPDATE:

It look's like it is not possible. Unless I do passthrough to the pod... see here ---> https://access.redhat.com/solutions/1582583

Still, I do not want that it to be the definitive answer since I think this should be supported.

Can someone tell me otherwise ? Please !

yield
  • 264
  • 4
  • 13

5 Answers5

3

Unfortunately, as far as I know, it can't configure certificates as secret in route. If you just want to make the route object using other way except a yaml file, then you can configure route using following CLI.

oc create route edge --service=frontend \
    --cert=${MASTER_CONFIG_DIR}/ca.crt \
    --key=${MASTER_CONFIG_DIR}/ca.key \
    --ca-cert=${MASTER_CONFIG_DIR}/ca.crt \
    --hostname=www.example.com

I hope it help you :^)

Daein Park
  • 4,393
  • 2
  • 12
  • 21
  • It does and not at the same time. I did explore that. It is indeed safer than direct YAML file in a ''unsecure'' GIT repo. I guess Ill use that as a additionnal step in my pipeline then. Thanks Again ! – yield Oct 27 '18 at 14:04
  • I created a ticket at RedHat bind to a RFE. There was already one that seem to be left for dead, so I push it back to RedHat back again. I will try to update this thread when I get updates from them. Hoping in a positiv way/ – yield Nov 02 '18 at 14:54
2

According to https://github.com/openshift/origin/issues/2162 this feature will not come to OpenShift anytime soon.

memo42
  • 41
  • 2
1

It's possible to process route template with TLS without sharing certificate and private key secrets.

  1. store CA certificate, server certificate and server private key in TLS secret
  2. oc get secrets to tls.key/tls.crt/ca.crt files
  3. set in route template:
  • TLS_PRIVATE_KEY/TLS_CERTIFICATE/CA_CERTIFICATE parameters
  • tls.key: ${TLS_PRIVATE_KEY}, tls.certificate: ${TLS_CERTIFICATE}, tls.caCertificate: ${CA_CERTIFICATE}
  1. oc process template with -p "TLS_PRIVATE_KEY=$(cat tls.key)" -p "TLS_CERTIFICATE=$(cat tls.crt)" -p "CA_CERTIFICATE=$(cat ca.crt)"

The idea with multiline parameters is from: https://github.com/openshift/origin/issues/10687

With Helm it's event easier to get TLS values from a secret: lookup function do the job.

tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
    key: {{ index (lookup "v1" "Secret" .Release.Namespace "my-tls-secret").data "tls.key" | b64dec | quote }}
    certificate: {{ index (lookup "v1" "Secret" .Release.Namespace "my-tls-secret").data "tls.crt" | b64dec | quote }}
    caCertificate: {{ index (lookup "v1" "Secret" .Release.Namespace "my-tls-secret").data "ca.crt" | b64dec | quote }}

The hint looked from the: https://stackoverflow.com/a/64325744/2017801

Guram Savinov
  • 594
  • 5
  • 10
0

My RFE was closed by RedHat because it should be a requirement for OpenShift4. Meanwhile, I started using tls secrets instead and managing TLS termination directly in my containers, not on the route.

It goest like this. There is a secret type for TLS

oc create secret tls mytlsSecret --cert= --key=

Hope this help !

yield
  • 264
  • 4
  • 13
0

One of the features of the Cert Utils Operator is Ability to populate route certificates.

Assuming you have a route myroute and a secret mysecret:

$ oc annotate route/myroute cert-utils-operator.redhat-cop.io/certs-from-secret=mysecret

The operator will then take care of updating the route with the certificate/key/ca certificate from the secret.

Sam Morris
  • 1,858
  • 1
  • 17
  • 18