Using Self-Signed SSL Certs (Kubernetes Deployments)
This page details the optional steps that you can take to use self-signed SSL Certificates in a Kubernetes Deployment of Cinchy.
  1. 1.
    Generate the self-signed certificate by executing the following commands in any folder:
openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
openssl genrsa -out mydomain.com.key 2048
openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com " -out mydomain.com.csr
2. Create a yaml file located at cinchy.kubernetes/platform_components/base/self-signed-ssl-root-ca.yaml.
3. Add the following to the yaml file:
apiVersion: v1
kind: ConfigMap
metadata:
name: self-signed-ca-pemstore
data:
rootCA.crt: |
<rootCA.crt>
4. Add the self signed root CA cert file to the cinchy.kubernetes/environment_kustomizations/cinchy_nonprod/base folder.
5. Add the yaml code snippet to the cinchy.kubernetes/environment_kustomizations/cinchy_nonprod/base/kustomization.yaml file, changing the below files key value as per your root ca cert file name:
configMapGenerator:
- name: self-signed-ca-pemstore
behavior: replace
files:
- rootCA.crt
6. Add the following line to the cinchy.kubernetes/platform_components/base/kustomization.yaml file
- self-signed-ssl-root-ca.yaml
7. Add the below Deployment patchesJson6902 to each of your cinchy.kubernetes/environment_kustomizations/cinchy_nonprod/ENV_NAME/PLATFORM_COMPONENT_NAME/kustomization.yaml files, except "base".
  • Ensure that the rootCA.crt file name is matched with ConfigMap data, configMapGenerator files, and the patch subpath.
- op: add
path: /spec/template/spec/volumes/-
value:
configMap:
name: self-signed-ca-pemstore
name: self-signed-ca-pemstore
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
value:
mountPath: /etc/ssl/certs/rootCA.crt
name: self-signed-ca-pemstore
subPath: rootCA.crt
8. Once the changes are deployed, verify the root CA cert is available on the pod under /etc/ssl/certs with below command, inputing your own POD_NAME and NAMESPACE where noted:
kubectl exec -it POD_NAME -n NAMESPACE -- openssl x509 -in /etc/ssl/certs/rootCA.crt -text
For further reference material, click here.
Copy link