[GH#87271] Add information about the openshift-service-ca.crt ConfigMap #87272
Conversation
The openshift kube-controller-manager maintains a ConfigMap in every namespace that publishes the service serving certifcate CA. Adding it to the documentation for users. Signed-off-by: James Hewitt <[email protected]>
openshift-ci
bot
added
size/M
|
Hi @Jamstah. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Hi @openshift/team-documentation, can I please have an OK to test on this one. |
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
|
/retest |
|
@Jamstah thanks for submitting this! Something funky is going on with our tests, but I'll help move this along (need to get engineering/QE review as well). I'll probably have some nits about the files - are you okay with making the updates if I point them out (and then squashing the commits afterward), or would you prefer me to take over the PR to make those final updates? |
|
/retest |
|
🤖 Mon Aug 25 14:28:08 - Prow CI generated the docs preview: |
modules/customize-certificates-access-default-service-serving-configmap.adoc
Outdated
Show resolved
Hide resolved
However you like to work :) |
Signed-off-by: James Hewitt <[email protected]>
|
The This is because your PR targets the If the update in your PR does NOT apply to version 4.19 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main. |
|
@bergerhoffer is there anyone else who can approve? |
|
Sorry for the delay, I've pinged again, we'll try to get someone soon. |
|
The This is because your PR targets the If the update in your PR does NOT apply to version 4.20 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main. |
|
@tkashem @wangke19 @bergerhoffer Can I get a review on this? We'd really like to be able to rely on this behaviour but its hard to do that when its undocumented. |
| = Access the service CA bundle in the default config map | ||
|
|
||
| A pod can access the service CA certificate by mounting the default | ||
| `ConfigMap` object that exists in every project. The service CA |
There was a problem hiding this comment.
"project" and "namespace" are synonyms in OpenShift, but using namespace is more consistent with Kubernetes docs. You might clarify: “…exists in every namespace (project).”
There was a problem hiding this comment.
Current step shows how to verify the config map exists, and better to expand this with a second step showing how to actually consume it inside a Pod.
2. Mount the config map into your pod so that applications can use the CA to validate TLS connections. Add a volume and volume mount in your pod specification:
apiVersion: v1
kind: Pod
metadata:
name: service-ca-example
spec:
containers:
- name: app
image: registry.redhat.io/ubi9/ubi-minimal
command: ["/bin/sh", "-c", "sleep 3600"]
volumeMounts:
- name: service-ca
mountPath: /var/run/configmaps/service-ca
readOnly: true
volumes:
- name: service-ca
configMap:
name: openshift-service-ca.crt
And step 3, include a verification workflow.
3. Test the CA with a TLS connection to a service that is using an OpenShift-issued serving certificate. For example, if you have a service named my-service in the same namespace, you can run the following command inside the pod:
curl --cacert /var/run/configmaps/service-ca/service-ca.crt https://my-service:443
If the connection succeeds without certificate errors, the service CA bundle is working correctly.
There was a problem hiding this comment.
Another thing, do we have a html version link to review.
There was a problem hiding this comment.
I think the only important thing is that we show them that this configmap exists and that it has a particular key and the value has a PEM header.
How to mount that configmap might be good to reference, but if one would add it there, it might be a little off-topic.
|
@Jamstah @bergerhoffer Abu(tkashem) has been moved to |
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ oc get configmap openshift-service-ca.crt -o yaml |
There was a problem hiding this comment.
Probably needs a namespace set here?
There was a problem hiding this comment.
Yes, in the context of mounting that configmap it would be necessary to use a specific namespace.
If you don't specify any, it returns the one on the default namespace / current project, so it works, but we can't be sure, that this is from the current project.
|
/retest |
|
Closing/reopening to try to kick off the tests again, since the preview link has since expired |
|
@Jamstah: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
|
||
| .Procedure | ||
|
|
||
| . View the config map to ensure that the service CA bundle is available: |
There was a problem hiding this comment.
I checked the code and the configmap must be there. If it gets deleted it gets recreated. So there is no direct point in checking that it is there. But there is value in showing the configmap, its name and the key / pem encoding.
The openshift kube-controller-manager maintains a ConfigMap in every namespace that publishes the service serving certifcate CA. Adding it to the documentation for users.
Version(s):
This functionality has existed since OpenShift 4.12.
Issue:
#87271
Link to docs preview:
https://87272--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/certificates/service-serving-certificate.html
QE review:
Additional information: