From 2615799d6490f515f6aa656069d2b7db529778e6 Mon Sep 17 00:00:00 2001 From: Roy Golan Date: Thu, 28 Mar 2024 20:21:26 +0200 Subject: [PATCH] Add a guide on how to add a CA to pod or serverless workflow Fixes: #610 Signed-off-by: Roy Golan --- .../add-custom-ca-to-a-workflow-pod.adoc | 35 ++++++++++--------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/serverlessworkflow/modules/ROOT/pages/cloud/operator/add-custom-ca-to-a-workflow-pod.adoc b/serverlessworkflow/modules/ROOT/pages/cloud/operator/add-custom-ca-to-a-workflow-pod.adoc index 005b55c93..b91b61d7e 100644 --- a/serverlessworkflow/modules/ROOT/pages/cloud/operator/add-custom-ca-to-a-workflow-pod.adoc +++ b/serverlessworkflow/modules/ROOT/pages/cloud/operator/add-custom-ca-to-a-workflow-pod.adoc @@ -25,7 +25,8 @@ For the purpose of this guide we would take the k8s cluster root CA that is auto Add or amend this volumes and init-container snippet to your pod spec or podTemplate in a deployment: -```yaml +[source,yaml] +--- spec: volumes: - name: new-cacerts @@ -35,26 +36,27 @@ spec: image: registry.access.redhat.com/ubi9/openjdk-17 volumeMounts: - mountPath: /opt/new-cacerts - name: new-cacerts + name: new-cacerts command: - /bin/bash - -c - | cp $JAVA_HOME/lib/security/cacerts /opt/new-cacerts/ chmod +w /opt/new-cacerts/cacerts - keytool -importcert -no-prompt -keystore /opt/new-cacerts/cacerts -storepass changeit -file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -``` + keytool -importcert -no-prompt -keystore /opt/new-cacerts/cacerts -storepass changeit -file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt +--- The default keystore under `$JAVA_HOME` is part of the container image and is not mutable. We have to create the mutated copy to a shared volume, hence the 'new-cacerts' one. === Step 3: Configure Java to load the new keystore Here we would just mount the new, modified cacerts into the default location where the JVM looks at. -The example mainly uses the standard http client so alternatively we could mount the cacerts to a different location and +The Main.java example uses the standard http client so alternatively we could mount the cacerts to a different location and configure the Java runtime to load the new keystore with a system property `-Djavax.net.ssl.trustStore`. Note that libraries like resteasy don't respect that flag and may need to programmatically set the trust store location. -```yaml +[source,yaml] +--- containers: - command: - /bin/bash @@ -72,14 +74,15 @@ Note that libraries like resteasy don't respect that flag and may need to progra - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5npmd readOnly: true -``` +--- Notice the volume mount of the previously mutated keystore. === Full working example -```yaml +[source,yaml] +--- apiVersion: v1 kind: Pod metadata: @@ -90,14 +93,14 @@ spec: image: registry.access.redhat.com/ubi9/openjdk-17 volumeMounts: - mountPath: /opt/new-cacerts - name: new-cacerts + name: new-cacerts command: - /bin/bash - -c - | cp $JAVA_HOME/lib/security/cacerts /opt/new-cacerts/ chmod +w /opt/new-cacerts/cacerts - keytool -importcert -no-prompt -keystore /opt/new-cacerts/cacerts -storepass changeit -file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + keytool -importcert -no-prompt -keystore /opt/new-cacerts/cacerts -storepass changeit -file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt containers: - command: - /bin/bash @@ -128,15 +131,16 @@ spec: - key: ca.crt path: ca.crt name: kube-root-ca.crt -``` +--- === {product_name} Example -Similar to a deployment spec, a workflow has a spec.podTemplate, with minor differences, but the change is almost identical. -In this case we are mounting some ingress CA bundle because we want our workflow to reach the `.apps.my-cluster-name.my-cluster-domain` SSL endpoint. +Similar to a deployment spec, a serverless workflow has a spec.podTemplate, with minor differences, but the change is almost identical. +In this case we are mounting some ingress ca bundle because we want our workflow to reach the `.apps.my-cluster-name.my-cluster-domain` SSL endpoint. Here is the relevant spec section of a workflow with the changes: -```yaml +[source,yaml] +--- #... spec: flow: @@ -177,12 +181,11 @@ spec: - key: ca.crt path: ca.crt name: kube-root-ca.crt -``` +--- == Additional Resources * Keytool documentation: {keytool-docs} -* Example of a podSpec with certificate initialization: https://gist.githubusercontent.com/rgolangh/90fa261c3a6a12bc1dbe89fa3ad4842b/raw/4875aeb353d47b471c453452e4862a1509161c88/pods-with-cert-init.yaml * Dynamically Creating Java keystores OpenShift - Blog Post: https://developers.redhat.com/blog/2017/11/22/dynamically-creating-java-keystores-openshift#end_to_end_springboot_demo