Service Serving Certificate Secrets Example¶

Example Service¶

apiVersion: v1
kind: Service
metadata:
  name: service-serving-cert
  annotations:
    service.alpha.openshift.io/serving-cert-secret-name: service-serving-cert
spec:
  ports:
  - name: service-serving-cert
    port: 443
    targetPort: 8443
  selector:
    app: service-serving-cert

Check certificate¶

1
2
3

oc get secret service-serving-cert -o json | jq -r '.data."tls.crt"' | base64 --decode > service-serving-cert.pem

openssl crl2pkcs7 -nocrl -certfile service-serving-cert.pem | openssl pkcs7 -print_certs  -noout

Example commands¶

$ echo "apiVersion: v1
kind: Service
metadata:
  name: service-serving-cert
  annotations:
    service.alpha.openshift.io/serving-cert-secret-name: service-serving-cert
spec:
  ports:
  - name: service-serving-cert
    port: 443
    targetPort: 8443
  selector:
    app: service-serving-cert" | oc create -f -
service/service-serving-cert created
$ oc get secret service-serving-cert -o json | jq -r '.data."tls.crt"' | base64 --decode > service-serving-cert.pem
$ openssl crl2pkcs7 -nocrl -certfile service-serving-cert.pem | openssl pkcs7 -print_certs  -noout
subject=/CN=service-serving-cert.rbo.svc
issuer=/CN=openshift-service-serving-signer@1545507973

subject=/CN=openshift-service-serving-signer@1545507973
issuer=/CN=openshift-service-serving-signer@1545507973

Create config map with service serving root ca¶

$ oc create -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: service-trustbundle-ca
  annotations:
    service.beta.openshift.io/inject-cabundle: "true"
data: {}
EOF

$ oc get configmap/service-trustbundle-ca -o jsonpath="{.data.service-ca\.crt}"  | openssl x509 -noout -subject -issuer -dates
subject= /CN=openshift-service-serving-signer@1593524307
issuer= /CN=openshift-service-serving-signer@1593524307
notBefore=Jun 30 13:38:26 2020 GMT
notAfter=Aug 29 13:38:27 2022 GMT

2021-05-05 2018-12-23 Contributors: