Cinchy Platform Documentation
Cinchy v5.6

Using Self-Signed SSL Certs (Kubernetes Deployments)

This page details the optional steps that you can take to use self-signed SSL Certificates in a Kubernetes Deployment of Cinchy.
This process needs to be followed after running the devops.automations script during your initial deployment, as well as each additional time that you run the script (Ex: updating your Cinchy platform), since it will wipe out all of the custom configuration you set up to use a self-signed certificate.
  1. 1.
    Generate the self-signed certificate by executing the following commands in any folder:
openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
openssl genrsa -out 2048
openssl req -new -sha256 -key -subj "/C=US/ST=CA/O=MyOrg, Inc./ " -out
2. Create a yaml file located at cinchy.kubernetes/platform_components/base/self-signed-ssl-root-ca.yaml.
3. Add the following to the yaml file:
apiVersion: v1
kind: ConfigMap
name: self-signed-ca-pemstore
rootCA.crt: |
4. Add the self signed root CA cert file to the cinchy.kubernetes/environment_kustomizations/cinchy_nonprod/base folder.
5. Add the yaml code snippet to the cinchy.kubernetes/environment_kustomizations/cinchy_nonprod/base/kustomization.yaml file, changing the below files key value as per your root ca cert file name:
- name: self-signed-ca-pemstore
behavior: replace
- rootCA.crt
6. Add the following line to the cinchy.kubernetes/platform_components/base/kustomization.yaml file
- self-signed-ssl-root-ca.yaml
7. Add the below Deployment patchesJson6902 to each of your cinchy.kubernetes/environment_kustomizations/cinchy_nonprod/ENV_NAME/PLATFORM_COMPONENT_NAME/kustomization.yaml files, except "base".
  • Ensure that the rootCA.crt file name is matched with ConfigMap data, configMapGenerator files, and the patch subpath.
- op: add
path: /spec/template/spec/volumes/-
name: self-signed-ca-pemstore
name: self-signed-ca-pemstore
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
mountPath: /etc/ssl/certs/rootCA.crt
name: self-signed-ca-pemstore
subPath: rootCA.crt
8. Once the changes are deployed, verify the root CA cert is available on the pod under /etc/ssl/certs with below command, inputing your own POD_NAME and NAMESPACE where noted:
kubectl exec -it POD_NAME -n NAMESPACE -- openssl x509 -in /etc/ssl/certs/rootCA.crt -text
For further reference material, click here.