How to Mount a file inside a pod using configmap

We will be covering the process to mount a file (e.g. cert) using config map inside the pod.
Before Proceeding :
  • Let’s take backup of the deployment config & pod specs before doing any changes
  • In case of wrong edits you can rollback to old version.

As an example scenario It may happen that you can not plug in .pem data in the Dockerfile and can not run that update-ca-certificates.
In that case you can  directly make changes to your Kubernetes/Openshift deployment file  with following steps



1.Create config map using .pem file

kubectl -n <namespace-for-config-map-optional> create configmap ca-pemstore — from-file=my-cert.pem
kubectl create configmap test-crt --from-file=ca-bundle   (ca-bundle Folder wil have the file)
2. Now , mount that config map’s file as one to one file relationship in volume mount in directory /etc/ssl/certs/ as file for example :

Changes in config file
volumeMounts:
- mountPath: /etc/ssl/certs/devapp254_full.cer
name: config-volume
subPath: devapp254_full.cer

- configMap:
defaultMode: 420
name: test-crt
name: config-volume











deployment config file:


volumeMounts:
- mountPath: /etc/secret
name: client-credentials
readOnly: true
- mountPath: /tmp/cert/defaultsslcertificate
name: defaultsslcertificate
- mountPath: /etc/ssl/certs/devapp254_full.cer
name: config-volume
subPath: devapp254_full.cer
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- name: client-credentials
secret:
defaultMode: 420
secretName: users-grants-be-client-credentials
- name: defaultsslcertificate
secret:
defaultMode: 420
secretName: defaultsslcertificate
- configMap:
defaultMode: 420
name: test-crt
name: config-volume































other example Collapse source
apiVersion: v1
kind: Pod
metadata:
name: cacheconnectsample
spec:
containers:
- name: cacheconnectsample
image: cacheconnectsample:v1
volumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/my-cert.pem
subPath: my-cert.pem
readOnly: false
ports:
- containerPort: 80
command: [ "dotnet" ]
args: [ "cacheconnectsample.dll" ]
volumes:
- name: ca-pemstore
configMap:
name: ca-pemstore









what this will do is along with all exiting certificates in this CA root directory of pod , it will add your .cert file as well , it is partially similar to update-ca-certificates command , except that no symbolic links were created and no certificate text was appended in ca-certificates.crt , but thats file , it will still work same way an no additional changes are required.
Note : If you do not map file to file via config map but map volume to directory in yaml, then you will end up mounting config map as directory to /etc/ssl/certs/ which will add your .pem file but will wipe out all existing certificate from store .

1 Comments

  1. Thanks for the blog filled with so many information. Stopping by your blog helped me to get what I was looking for. Now my task has become as easy as ABC. Relx infinity

    ReplyDelete
Previous Post Next Post