Open DuskEagle opened 4 years ago
Guys, I am also having issue due to this.. I have my custom domain SSL and wanted to configure it for cockroach db admin UI. I don't want SSL warning while opening admin UI. I want to apply this on already running cluster GKE which running on kubernetes CA. I can't able to upload my SSL certificate to the cockroach cert directory due to emptyDir
volume mount.
Guys, I am able to mount my domain SSL cetrtificate and key in cockroach-cert directory through secret. My cluster is running with Kubernetes CA.
Upload my SSL cert and key to the kubernetes secret.
kubectl create secret generic my-certs --from-file=certs
Added k8s secret 'my-cert' in k8s volume.
volumes:
- name: my-certs
secret:
defaultMode: 256
secretName: my-certs
- name: datadir
persistentVolumeClaim:
claimName: datadir
- emptyDir: {}
name: certs
See my volume mount looks like.
volumeMounts:
- mountPath: /cockroach/cockroach-data
name: datadir
- mountPath: /cockroach/cockroach-certs
name: certs
- mountPath: /cockroach/cockroach-certs/ui.key
name: my-certs
subPath: ui.key
- mountPath: /cockroach/cockroach-certs/ui.crt
name: my-certs
subPath: ui.crt
So after these changes I have check the certificate in each cockroach DB pod and it was there.
(iamvishalvyas)$ kubectl exec -it cockroachdb-1 -- bash
root@cockroachdb-1:/cockroach/cockroach-certs# ls
ca.crt node.crt node.key ui.crt ui.key
Also, Now I am able to open my Cockroach DB admin UI through my domain name without SSL warning.
Hope this would be helpful.
Rather than writing to an
emptyDir
volume mount, request-cert should support writing to a configured K8s secret. This would make it possible to project the secrets generated by request-cert into the same directory as other certificates, such as UI certificates.