Once your custom CA certificate is added to the cluster via ConfigMap, the
Cluster Network Operator merges the user-provided and system CA certificates
into a single bundle and injects the merged bundle into the Operator requesting
the trust bundle injection.
Operators request this injection by creating an empty ConfigMap with the
following label:
config.openshift.io/inject-trusted-cabundle="true"
An example of the empty ConfigMap:
apiVersion: v1
data: {}
kind: ConfigMap
metadata:
labels:
config.openshift.io/inject-trusted-cabundle: "true"
name: ca-inject (1)
namespace: apache
1 |
Specifies the empty ConfigMap name. |
The Operator mounts this ConfigMap into the container’s local trust store.
|
Adding a trusted CA certificate is only needed if the certificate is not
included in the Fedora CoreOS (FCOS) trust bundle.
|
certificate injection is not limited to Operators. The Cluster Network Operator
injects certificates across any namespace when an empty ConfigMap is created with the
config.openshift.io/inject-trusted-cabundle=true
label.
The ConfigMap can reside in any namespace, but the ConfigMap must be mounted as
a volume to each container within a pod that requires a custom CA. For example:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-example-custom-ca-deployment
namespace: my-example-custom-ca-ns
spec:
...
spec:
...
containers:
- name: my-container-that-needs-custom-ca
volumeMounts:
- name: trusted-ca
mountPath: /etc/pki/ca-trust/extracted/pem
readOnly: true
volumes:
- name: trusted-ca
configMap:
name: trusted-ca
items:
- key: ca-bundle.crt (1)
path: tls-ca-bundle.pem (2)
1 |
ca-bundle.crt is required as the ConfigMap key. |
2 |
tls-ca-bundle.pem is required as the ConfigMap path. |