What is a good way to deploy secret Java key stores in an OpenShift environment?

You can add and mount the secrets like stated by Jan Thomä, but it's easier like this, using the oc commandline tool:

./oc create secret generic crnews-keystore --from-file=keystore.jks=$HOME/git/crnews-service/src/main/resources/keystore.jks --from-file=truststore.jks=$HOME/git/crnews-service/src/main/resources/truststore.jks --type=opaque

This can then be added via UI: Applications->Deployments->-> "Add config files" where you can choose what secret you want to mount where.

Note, that the name=value pairs (e.g. truststore.jks=) will be used like filename=base64decoded-Content.


It turns out that I misunderstood how secrets work. They are indeed key-values pairs that you can mount as files. The value can however be any base64 encoded binary that will be mapped as the file contents. So the solution is to first encode the contents of the JKS file to base64:

cat keystore.jks| base64

Then you can put this into your secret definition:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: my-namespace
data:
  keystore.jks: "<base 64 from previous command here>"

Finally you can mount this into your docker container by referencing it in the deployment configuration:

apiVersion: v1
kind: DeploymentConfig
spec:
  ...
  template:
    spec:
      ...
      container:
       - name: "my-container"
         ...
         volumeMounts:
            - name: secrets
              mountPath: /mnt/secrets
              readOnly: true

     volumes:
        - name: secrets
          secret:
            secretName: "my-secret"
            items:
              - key: keystore.jks
                path: keystore.jks

This will mount the secret volume secrets at /mnt/secrets and makes the entry with the name keystore.jks available as file keystore.jks under /mnt/secrets.

I'm not sure if this is really a good way of doing this, but it is at least working here.


My generated base64 was multiline and I was getting the same error.

Trick is, use -w0 argument in base64 so that the whole encode is in 1 line!

base64 -w0 ssl_keystore.jks > test

Above will create a file named test and will contain the base64 in one line, copy paste like this in a secret:

apiVersion: v1
kind: Secret
metadata:
  name: staging-ssl-keystore-jks
  namespace: staging-space
type: Opaque
data:
  keystore.jsk: your-base64-in-one-line

Tags:

Client Certificates

Openshift

Recent Posts