Kubernetes

This guide explains how to install and use custom certificates with Qpoint in a Kubernetes environment. This process is useful when you need to use your own certificates for HTTPS traffic or when you need to trust specific Certificate Authorities.

Prerequisites

  • Kubernetes cluster

  • kubectl command-line tool

  • Your custom certificate file (e.g., qpoint.pem)

Create a ConfigMap with the Certificate

First, create a ConfigMap that contains your certificate file:

kubectl create configmap ca-pemstore --from-file=qpoint.pem

Replace qpoint.pem with the path to your certificate file. This command creates a ConfigMap named ca-pemstore with the contents of your certificate file.

Modify the Pod Specification

Update your Pod YAML file to include the ConfigMap as a volume and mount it in the appropriate container(s). Below is an example of how to do this using a node.js application:

apiVersion: v1
kind: Pod
metadata:
  name: qpoint-example-pod
spec:
  initContainers:
    - name: qpoint-init
      image: us-docker.pkg.dev/qpoint-edge/public/kubernetes-qpoint-init:v0.0.9
      env:
        - name: PORT_MAPPING
          value: "16443:443"
        - name: ACCEPT_UIDS
          value: "1010"  # Accept the proxy user / UID
        - name: ACCEPT_GIDS
          value: "1010"  # Accept the proxy group / GID
        - name: TO_DOMAIN
          value: "qpoint-connect.qpoint.svc.cluster.local"
      securityContext:
        capabilities:
          add: ["NET_ADMIN"]
  containers:
    - name: main-container
      image: curlimages/curl
      command: ["sh"]
      stdin: true
      tty: true
      securityContext:
        capabilities:
          add: ["NET_ADMIN"]
      env:
        - name: NODE_EXTRA_CA_CERTS
          value: /etc/ssl/certs/qpoint.pem
      volumeMounts:
        - name: ca-pemstore
          mountPath: /etc/ssl/certs/qpoint.pem
          subPath: qpoint.pem
          readOnly: true
    - name: qpoint-connect
      image: us-docker.pkg.dev/qpoint-edge/public/qpoint:v0.1.4
      imagePullPolicy: IfNotPresent
      args:
        - connect
        - --envoy-log-level=error
        - --log-level=info
        - --dns-lookup-family=V4_ONLY
      env:
        - name: STATUS_LISTEN
          value: "0.0.0.0:10001"
        - name: DEFAULT_TCP_LISTEN_ADDRESS
          value: "0.0.0.0"
        - name: CONNECT_TCP_FORWARD_PORTS
          value: "16080:80,16443:443"
        - name: CONNECT_UPSTREAM
          value: "qpoint-proxy.qpoint.svc.cluster.local:10443"
        - name: CONNECT_USERNAME
          value: "default"
        - name: CONNECT_PASSWORD
          value: "default"
      ports:
        - name: e-http
          containerPort: 16080
          protocol: TCP
        - name: e-https
          containerPort: 16443
          protocol: TCP
        - name: status
          containerPort: 10001
          protocol: TCP
      startupProbe:
        httpGet:
          path: /readyz
          port: status
        initialDelaySeconds: 3
        periodSeconds: 5
        timeoutSeconds: 2
        successThreshold: 1
        failureThreshold: 20
      readinessProbe:
        httpGet:
          path: /readyz
          port: status
        initialDelaySeconds: 3
        periodSeconds: 5
        timeoutSeconds: 2
        successThreshold: 1
        failureThreshold: 1
      livenessProbe:
        httpGet:
          path: /healthz
          port: status
        initialDelaySeconds: 3
        periodSeconds: 10
        timeoutSeconds: 2
        successThreshold: 1
        failureThreshold: 3
  volumes:
    - name: ca-pemstore
      configMap:
        name: ca-pemstore

Key Additions in the YAML File

  1. Volume Declaration:

    volumes:
  - name: ca-pemstore
    configMap:
      name: ca-pemstore

    This declares a volume that references the ConfigMap we created earlier.

  2. Volume Mount in main-container:

    volumeMounts:
  - name: ca-pemstore
    mountPath: /etc/ssl/certs/qpoint.pem
    subPath: qpoint.pem
    readOnly: true

    This mounts the certificate file from the ConfigMap into the container.

  3. Environment Variable in main-container:

    env:
  - name: NODE_EXTRA_CA_CERTS
    value: /etc/ssl/certs/qpoint.pem

    This environment variable tells the application where to find the additional CA certificates.

Notes

  • The environment variable NODE_EXTRA_CA_CERTS is specific to Node.js applications. For other languages or runtimes, you may need to use a different environment variable or configuration method. Here are some common examples:

    • Python: SSL_CERT_FILE=/etc/ssl/certs/qpoint.pem

    • Java: -Djavax.net.ssl.trustStore=/etc/ssl/certs/qpoint.pem

    • Go: SSL_CERT_FILE=/etc/ssl/certs/qpoint.pem

  • Ensure that your application is configured to use the custom certificate. The method for doing this can vary depending on the programming language and libraries you're using.

  • You may need to modify the qpoint-connect container configuration to use the custom certificate as well, depending on your specific requirements.

  • Always ensure that you're following best practices for certificate management, including regular rotation and secure storage of private keys.

Last updated