Skip to content

Instantly share code, notes, and snippets.

@joa

joa/Dockerfile

Last active October 19, 2018 12:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save joa/3141fa70171324c15e05abf4c8550bfe to your computer and use it in GitHub Desktop.
Save joa/3141fa70171324c15e05abf4c8550bfe to your computer and use it in GitHub Desktop.
Download ZIP
in-cluster dh param generation with kubernetes and rbac
Raw
README.md

dhparam within cluster

This Gist shows you how to create a simple dhparam secret directly within your cluster using a Job and RBAC.

After the job completed successfully, you'll have a secret dhparam within your default namespace with dhparam.pem inside.

install

# build and push container
docker build -t gcr.io/PROJECT_ID/kubectl:latest -f Dockerfile .
docker push gcr.io/PROJECT_ID/kubectl:latest

# start job
kubectl apply -f dhparam.yaml

# This is going to take a long time ...

cleanup

You won't need the job, cluste role and bindings after generating the DH params

kubectl delete -f dhparam.yaml
Raw
dhparam.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dhparam
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: dhparam
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dhparam
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dhparam
subjects:
- kind: ServiceAccount
name: dhparam
namespace: default
---
apiVersion: batch/v1
kind: Job
metadata:
name: generate-dhparam-secret
spec:
template:
spec:
serviceAccountName: dhparam
containers:
- name: kubectl
# replace this with your actual container image
image: gcr.io/PROJECT_ID/kubectl:latest
command:
- "/bin/sh"
- "-c"
- |
openssl dhparam -out dhparam.pem 4096
kubectl create secret generic dhparam --from-file=./dhparam.pem
restartPolicy: Never
Raw
Dockerfile
FROM alpine:latest as builder
WORKDIR /usr/local/bin
RUN apk add --no-cache curl && \
export KUBECTL_VERSION=$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt) && \
curl -sLO https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl && \
chmod +x kubectl
FROM alpine:latest
ENV HOME=/config
ENV SHELL /bin/bash
RUN apk add --no-cache bash openssh-client curl ca-certificates openssl && \
adduser kubectl -Du 2342 -h /config
COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/kubectl
USER kubectl
WORKDIR /config
ENTRYPOINT ["/usr/local/bin/kubectl"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment