Support writing to K8s secrets

[DuskEagle]

Rather than writing to an emptyDir volume mount, request-cert should support writing to a configured K8s secret. This would make it possible to project the secrets generated by request-cert into the same directory as other certificates, such as UI certificates.

[imvishalvyas]

Guys, I am also having issue due to this.. I have my custom domain SSL and wanted to configure it for cockroach db admin UI. I don't want SSL warning while opening admin UI. I want to apply this on already running cluster GKE which running on kubernetes CA. I can't able to upload my SSL certificate to the cockroach cert directory due to emptyDir volume mount.

[imvishalvyas]

Guys, I am able to mount my domain SSL cetrtificate and key in cockroach-cert directory through secret. My cluster is running with Kubernetes CA.

1. Upload my SSL cert and key to the kubernetes secret.

   kubectl create secret generic my-certs --from-file=certs

2. Added k8s secret 'my-cert' in k8s volume.

     volumes:
     - name: my-certs
       secret:
         defaultMode: 256
         secretName: my-certs
     - name: datadir
       persistentVolumeClaim:
         claimName: datadir
     - emptyDir: {}
       name: certs

3. See my volume mount looks like.

       volumeMounts:
       - mountPath: /cockroach/cockroach-data
         name: datadir
       - mountPath: /cockroach/cockroach-certs
         name: certs
       - mountPath: /cockroach/cockroach-certs/ui.key
         name: my-certs
         subPath: ui.key
       - mountPath: /cockroach/cockroach-certs/ui.crt
         name: my-certs
         subPath: ui.crt

   So after these changes I have check the certificate in each cockroach DB pod and it was there.

   (iamvishalvyas)$ kubectl exec -it cockroachdb-1 -- bash
   root@cockroachdb-1:/cockroach/cockroach-certs# ls
   ca.crt  node.crt  node.key  ui.crt  ui.key

Also, Now I am able to open my Cockroach DB admin UI through my domain name without SSL warning.

Hope this would be helpful.