Once your custom CA certificate is added to the cluster via configmap, the
Cluster Network Operator merges the user-provided and system CA certificates
into a single bundle and injects the merged bundle into the Operator requesting
the trust bundle injection.
|
After adding a config.openshift.io/inject-trusted-cabundle="true" label to the config map, existing data in it is deleted. The Cluster Network Operator takes ownership of a config map and only accepts ca-bundle as data.
You must use a separate config map to store service-ca.crt by using the service.beta.openshift.io/inject-cabundle=true annotation or a similar configuration. Adding a config.openshift.io/inject-trusted-cabundle="true" label and service.beta.openshift.io/inject-cabundle=true annotation on the same config map can cause issues.
|
Operators request this injection by creating an empty configmap with the
following label:
config.openshift.io/inject-trusted-cabundle="true"
An example of the empty configmap:
apiVersion: v1
data: {}
kind: configmap
metadata:
labels:
config.openshift.io/inject-trusted-cabundle: "true"
name: ca-inject (1)
namespace: apache
1 |
Specifies the empty configmap name. |
The Operator mounts this configmap into the container’s local trust store.
|
Adding a trusted CA certificate is only needed if the certificate is not
included in the Fedora CoreOS (FCOS) trust bundle.
|
Certificate injection is not limited to Operators. The Cluster Network Operator
injects certificates across any namespace when an empty configmap is created with the
config.openshift.io/inject-trusted-cabundle=true
label.
The configmap can reside in any namespace, but the configmap must be mounted as
a volume to each container within a pod that requires a custom CA. For example:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-example-custom-ca-deployment
namespace: my-example-custom-ca-ns
spec:
...
spec:
...
containers:
- name: my-container-that-needs-custom-ca
volumeMounts:
- name: trusted-ca
mountPath: /etc/pki/ca-trust/extracted/pem
readOnly: true
volumes:
- name: trusted-ca
configmap:
name: trusted-ca
items:
- key: ca-bundle.crt (1)
path: tls-ca-bundle.pem (2)
1 |
ca-bundle.crt is required as the configmap key. |
2 |
tls-ca-bundle.pem is required as the configmap path. |