Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Daniel Nashed's Blog

How to use Domino OTS on Kubernetes to import an existing TLS Certificate

Daniel Nashed – 29 May 2023 10:41:02


Domino One Touch Setup has been designed with flexibility in mind, with special focus on getting a server up in a secure way.
On Docker you can just mount PEM files into the container. On Kubernetes TLS Certificates and Keys are stored in secrets.
Personally I am not a big fan of storing PEM files on disk. But you could at least set a password on the PEM file you import.

Here is a basic example how to create a secret on K8s and reference it in OTS.
Even the simple environment variable setup supports the security settings for CertMgr.
Of course the same functionality is also available with the more flexible JSON based configuration.

For simplification I am configuring a Domino server without volume and other options to just focus on configuring TLS.
Applications like NGINX expect certificates and keys in separate files. This is also the style used by K8s for an Ingress and other components requiring TLS Certificates.

kubectl create secret tls nginx-ssl --cert=cert.pem --key=key.pem

CertMgr expects the key and certificate chain in one file.
To convert a PEM file to a secret, you can use a similar command. It will just wrap the PEM file into a secret.

kubectl create secret generic domino-tls --from-file=tls.pem

In your pod configuration you can just mount your secret and specify it in your OTS configuration.

Once the server is running, you can check out the TLS credentials doc directly on the console.
In my example this is a Let's Encrypt wild card certificate created on another CertMgr instance.

tell certmgr show certs

[000580:000002-00007F9CE86D1DC0] Subject key identifier    Key info     Expiration   KeyFile/Tag            Host names (SANs)
[000580:000002-00007F9CE86D1DC0] ------------------------------------------------------------------------------------------------------------------------------------------------------
[000580:000002-00007F9CE86D1DC0] 62AB F770 B3EF 1091 ...   NIST P-256    68.6 days                          *.lab.dnug.eu lab.dnug.eu
[000580:000002-00007F9CE86D1DC0] ------------------------------------------------------------------------------------------------------------------------------------------------------
[000580:000002-00007F9CE86D1DC0] 1 TLS Credentials

Side Note:
You can even specify an export password, if you want to be able to export the TLS Credentials doc later.
But take care to specify a password with sufficient entropy, else your setup will fail. A good idea is to test the password in CertMgr UI creating an exportable key.

-- Daniel


Simple example pod definition


apiVersion: v1
kind: Pod
metadata:
name: domino-nashcom
namespace: default

spec:

imagePullSecrets:
  - name: regcred

- env:
    - name: LANG
      value: "en_US.UTF-8"

    - name: SetupAutoConfigure
      value: "1"

    - name: SERVERSETUP_SERVER_TYPE
      value: first

    - name: SERVERSETUP_ADMIN_FIRSTNAME
      value: "Daniel"

    - name: SERVERSETUP_ADMIN_LASTNAME
      value: "Nashed"

    - name: SERVERSETUP_ADMIN_PASSWORD
      value: "domino12rocks"

    - name: SERVERSETUP_ADMIN_IDFILEPATH
      value: "admin.id"

    - name: SERVERSETUP_NETWORK_HOSTNAME
      value: "domino12.dnug.eu"

    - name: SERVERSETUP_ORG_CERTIFIERPASSWORD
      value: "domino4rocks"

    - name: SERVERSETUP_SERVER_DOMAINNAME
      value: "NashCom"

    - name: SERVERSETUP_ORG_ORGNAME
      value: "NashCom"

    - name: SERVERSETUP_SERVER_NAME
      value: "domino12.dnug.eu"

    - name: SERVERSETUP_SERVER_SERVERTASKS
      value: "replica,router,update,amgr,adminp,http"

    - name: SERVERSETUP_SECURITY_ACL_PROHIBITANONYMOUSACCESS
      value: "true"

    - name: SERVERSETUP_SECURITY_TLSSETUP_METHOD
      value: "import"

    - name: SERVERSETUP_SECURITY_TLSSETUP_IMPORTFILEPATH
      value: "/etc/domino/ssl/tls.pem"

    - name: SERVERSETUP_SECURITY_TLSSETUP_EXPORTPASSWORD
      value: "Domino14TLSExport42EXPORT"

  name: domino
  image: docker.io/nashcom/domino:latest

  ports:
    - containerPort: 443

  volumeMounts:
    - mountPath: "/etc/domino/ssl"
      name: domino-tls
      readOnly: true

restartPolicy: Always

volumes:
  - name: domino-tls
    secret:
      secretName: domino-tls

Recent Entries

Feeds

Links

    Archives

    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]