A Pod can access the service CA certificate by mounting a ConfigMap that
is annotated with service.beta.openshift.io/inject-cabundle=true.
Once annotated, the cluster automatically injects the service CA
certificate into the service-ca.crt key on the ConfigMap. Access to
this CA certificate allows TLS clients to verify connections to
services using service serving certificates.
|
Important
|
After adding this annotation to a ConfigMap all existing data in it is
deleted. It is recommended to use a separate ConfigMap to contain the
|
-
Annotate the ConfigMap with
service.beta.openshift.io/inject-cabundle=true.$ oc annotate configmap <configmap-name> \//(1) service.beta.openshift.io/inject-cabundle=true-
Replace
<configmap-name>with the name of the ConfigMap to annotate.NoteExplicitly referencing the
service-ca.crtkey in a volumeMount will prevent a Pod from starting until the ConfigMap has been injected with the CA bundle.For instance, to annotate the ConfigMap
foothe following command would be used:$ oc annotate configmap foo service.beta.openshift.io/inject-cabundle=true
-
-
View the ConfigMap to ensure the certificate has been generated. This appears as a
service-ca.crtin the YAML output.$ oc get configmap <configmap-name> -o yaml apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- ...