![]() The command and args combine to verify the certificate by extracting its metadata for testing purposes. The below deployment uses the doppler-pkcs12 managed secret created by the Operator to mount the certificate using a secrets volume and supply the certificate password using the PKCS12_PASS environment variable. Mount PKCS12 Certificate Inside a Kubernetes Deployment The final step is mounting the certificate inside a container. The output should be similar to: Name: doppler-pkcs12 Namespace: default Labels: /subtype=dopplerSecret Annotations: /dashboard-link: /processor-version: 07647691b375a71fda056fa16a8adb90a1caa0aea8e8adc3bc6ee7a5b69405a4 /version: W/"d249692722e5022e9a08b911e4b4f53de7e69d0c6c98df6ddde8c679347a4b47" Type: Opaque Data = PKCS12_PASS: 8 bytes DOPPLER_CONFIG: 3 bytes DOPPLER_ENVIRONMENT: 3 bytes DOPPLER_PROJECT: 6 bytes PKCS12_CERT: 3975 bytes You can check the Operator created the Kubernetes synced secret by querying for secrets with the Operator's custom label: kubectl describe secrets -selector=/subtype=dopplerSecret Then create the DopplerSecret in Kubernetes: kubectl apply -f pkcs12-secret.yaml Save the file contents as doppler-secret-pkcs12.yaml: apiVersion: /v1alpha1 kind: DopplerSecret metadata: name: doppler-secret-pkcs12 # Name of custom resource namespace: doppler-operator-system spec: tokenSecret: name: doppler-project-pkcs12-token # Name of Kubernetes service token secret from previous step managedSecret: name: doppler-pkcs12 # Name of Kubernetes secret Operator will sync secrets to namespace: default # Namespace of the deployment that will use the secret processors: PKCS12_CERT: type: base64 # Instructs the Operator to not base64 encode the secret value again ![]() But as the PKCS12 certificate is already base64 encoded in Doppler, we'll use the optional processors: map, which tells the Operator to skip base64 encoding the PKCS12_CERT value. Kubernetes secrets are base64 encoded, not for security, but to store binary values such as PKCS12 certificates. Next, we'll create a custom DopplerSecret which contains data the Operator uses to manage the Kubernetes secret containing the synced secrets. from-literal=serviceToken=$(doppler configs tokens create kubernetes-operator -plain) It will be stored in a Kubernetes secret that the Operator will then access.Ĭreate the Service Token and inject it as a Kubernetes secret in the doppler-operator-system namespace: kubectl create secret generic doppler-project-pkcs12-token \ If your PKCS12 certificate is password-protected, you'll need to add that too: doppler secrets set PKCS12_PASS= "changeit" Kubernetes Operator Secrets SyncĪ Doppler Service Token is required to give the Operator access to the secrets for a specific project and config. Then create the base64 encoded PKCS12 certificate secret: doppler secrets set PKCS12_CERT= " $(base64 -i doppler.p12)" ![]() Select the appropriate environment to import the secret to: doppler setup -project pkcs12 -config prd If you haven't yet created a Doppler project, you can use the CLI: doppler projects create pkcs12 ![]() Importing the PKCS12 Certificate to DopplerĪs the PKCS12 certificate is in binary format, it must be base64 encoded before importing to Doppler. Visit the Kubernetes Operator GitHub repository to learn more.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |