79342492

Date: 2025-01-09 12:00:57
Score: 0.5
Natty:
Report link

In addition to https://stackoverflow.com/a/58876108/27730930 (point 5)

If you use IAC or GitOps approach you can deliver etc certificates to kubernetes secret with standard k8s mechanisms:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-etcd-certs-to-secret-egress-to-apiserver
  namespace: tech-monitoring
spec:
  podSelector:
    matchLabels:
      app: etcd-certs-to-secret
  policyTypes:
  - Egress
  egress:
  - to:
      namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          component: kube-apiserver
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: etcd-certs-to-secret
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: etcd-certs-to-secret
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: etcd-certs-to-secret
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: etcd-certs-to-secret
subjects:
- kind: ServiceAccount
  name: etcd-certs-to-secret
---
apiVersion: batch/v1
kind: Job
metadata:
  name: etcd-certs-to-secret
spec:
  template:
    metadata:
      labels:
        app: etcd-certs-to-secret
    spec:
      serviceAccountName: etcd-certs-to-secret
      containers:
      - name: apply-secret
        securityContext:
          runAsUser: 0
          runAsGroup: 0
        image: bitnami/kubectl:1.32.0
        command: ["/bin/sh", "-c"]
        args:
          - |
            if [ ! -f /etcd-certs/ca.crt ]; then
              echo "Error: Certificate authority file '/etcd-certs/ca.crt' is missing."
              exit 1
            fi

            if [ ! -f /etcd-certs/tls.crt ]; then
              echo "Error: Certificate file '/etcd-certs/tls.crt' is missing."
              exit 1
            fi

            if [ ! -f /etcd-certs/tls.key ]; then
              echo "Error: Key file '/etcd-certs/tls.key' is missing."
              exit 1
            fi

            kubectl apply -f - <<EOF
            apiVersion: v1
            kind: Secret
            metadata:
              name: etcd-certs
              annotations:
                created-by: job/etcd-certs-to-secret
            type: kubernetes.io/tls
            data:
              ca.crt: $(cat /etcd-certs/ca.crt | base64 -w 0)
              tls.crt: $(cat /etcd-certs/tls.crt | base64 -w 0)
              tls.key: $(cat /etcd-certs/tls.key | base64 -w 0)
            EOF
        volumeMounts:
        - name: ca-crt
          mountPath: /etcd-certs/ca.crt
          readOnly: true
        - name: tls-crt
          mountPath: /etcd-certs/tls.crt
          readOnly: true
        - name: tls-key
          mountPath: /etcd-certs/tls.key
          readOnly: true
      restartPolicy: Never
      tolerations:
      - key: "node-role.kubernetes.io/control-plane"
        operator: "Equal"
        value: "true"
        effect: "NoSchedule"
      nodeSelector:
        node-role.kubernetes.io/control-plane: ""
      volumes:
      - name: ca-crt
        hostPath:
          path: /etc/kubernetes/pki/etcd/ca.crt
          type: File
      - name: tls-crt
        hostPath:
          path: /etc/kubernetes/pki/etcd/server.crt
          type: File
      - name: tls-key
        hostPath:
          path: /etc/kubernetes/pki/etcd/server.key
          type: File
  backoffLimit: 4
Reasons:
  • Blacklisted phrase (1): stackoverflow
  • Long answer (-1):
  • Has code block (-0.5):
  • Low reputation (1):
Posted by: Iurii Pastushenko