Reputation: 69
How can I add root certs into my existing truststore.jks file using kubectl?
I am new to kubernetes and trying to add root certs to my existing secrets truststore.jks file. Using get secret mysecret -o yaml. I am able to view the details of truststore file inside mysecret but not sure how to replace with new truststore file or to edit the existing one with latest root certs. Can anyone help me to get the correct command to do this using kubectl?
Thanks
Upvotes: 0
Views: 2396
Answers (1)
Reputation: 9877
A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. There is an official documentation about Kubernetes.io: Secrets.
Assuming that you created your secret by:
$ kubectl create secret generic NAME_OF_SECRET --from-file=keystore.jks
You can edit your secret by invoking command:
$ kubectl edit secret NAME_OF_SECRET
It will show you YAML definition similar to this:
apiVersion: v1
data:
keystore.jks: HERE_IS_YOUR_JKS_FILE
kind: Secret
metadata:
creationTimestamp: "2020-02-20T13:14:24Z"
name: NAME_OF_SECRET
namespace: default
resourceVersion: "430816"
selfLink: /api/v1/namespaces/default/secrets/jks-old
uid: 0ce898af-8678-498e-963d-f1537a2ac0c6
type: Opaque
To change it to new keystore.jks you would need to base64 encode it and paste in place of old one (HERE_IS_YOUR_JKS_FILE)
You can get a base64 encoded string by:
cat keystore.jks | base64
After successfully editing your secret it should give you a message:
secret/NAME_OF_SECRET edited
Also you can look on this StackOverflow answer
It shows a way to replace existing configmap but with a little of modification it can also replace a secret!
Example below:
Create a secret with keystore-old.jks:
$ kubectl create secret generic my-secret --from-file=keystore-old.jksUpdate it with keystore-new.jks:
$ kubectl create secret generic my-secret --from-file=keystore-new.jks -o yaml --dry-run | kubectl replace -f -
Treating keystore.jks as a file allows you to use a volume mount to mount it to specific location inside a pod.
Example YAML below creates a pod with secret mounted as volume:
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
spec:
containers:
- name: ubuntu
image: ubuntu
command:
- sleep
- "360000"
volumeMounts:
- name: secret-volume
mountPath: "/etc/secret"
volumes:
- name: secret-volume
secret:
secretName: NAME_OF_SECRET
Take a specific look on:
volumeMounts:
- name: secret-volume
mountPath: "/etc/secret"
volumes:
- name: secret-volume
secret:
secretName: NAME_OF_SECRET
This part will mount your secret inside your /etc/secret/ directory. It will be available there with a name keystore.jks
A word about mounted secrets:
Mounted Secrets are updated automatically
When a secret currently consumed in a volume is updated, projected keys are eventually updated as well. The kubelet checks whether the mounted secret is fresh on every periodic sync.
Please let me know if you have any questions regarding that.
Upvotes: 1
Related Questions
- Add certificates to global Java truststore in code (programatically)
- Kubernetes add ca certificate to pods' trust root
- How to add certificates to Kube config file
- How to create Kubernetes TLS secrets with intermediate and root cert
- Add `cacerts` file to all pods in a Kubernetes cluster
- In k8s, how to automatically add a root certificate of a self-signed certificate between pods?
- Kubernate Pod : How to import Certificate into Java Truststore?
- How do you add a certificate authority (CA) to k8s?
- How to automatically add a certificate to a Java trust store on kubernetes whenever a new pod is created?
- Kubernetes: Populate certificates into keystores