Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

How to use Domino OTS on Kubernetes to import an existing TLS Certificate

Daniel Nashed  29 May 2023 10:41:02


Domino One Touch Setup has been designed with flexibility in mind, with special focus on getting a server up in a secure way.

On Docker you can just mount PEM files into the container. On Kubernetes TLS Certificates and Keys are stored in secrets.

Personally I am not a big fan of storing PEM files on disk. But you could at least set a password on the PEM file you import.


Here is a basic example how to create a secret on K8s and reference it in OTS.
Even the simple environment variable setup supports the security settings for CertMgr.

Of course the same functionality is also available with the more flexible JSON based configuration.


For simplification I am configuring a Domino server without volume and other options to just focus on configuring TLS.

Applications like NGINX expect certificates and keys in separate files. This is also the style used by K8s for an Ingress and other components requiring TLS Certificates.


kubectl create secret tls nginx-ssl --cert=cert.pem --key=key.pem


CertMgr expects the key and certificate chain in one file.

To convert a PEM file to a secret, you can use a similar command. It will just wrap the PEM file into a secret.


kubectl create secret generic domino-tls --from-file=tls.pem


In your pod configuration you can just mount your secret and specify it in your OTS configuration.


Once the server is running, you can check out the TLS credentials doc directly on the console.

In my example this is a Let's Encrypt wild card certificate created on another CertMgr instance.


tell certmgr show certs


[000580:000002-00007F9CE86D1DC0] Subject key identifier    Key info     Expiration   KeyFile/Tag            Host names (SANs)

[000580:000002-00007F9CE86D1DC0] ------------------------------------------------------------------------------------------------------------------------------------------------------

[000580:000002-00007F9CE86D1DC0] 62AB F770 B3EF 1091 ...   NIST P-256    68.6 days                          *.lab.dnug.eu lab.dnug.eu

[000580:000002-00007F9CE86D1DC0] ------------------------------------------------------------------------------------------------------------------------------------------------------

[000580:000002-00007F9CE86D1DC0] 1 TLS Credentials


Side Note:
You can even specify an export password, if you want to be able to export the TLS Credentials doc later.
But take care to specify a password with sufficient entropy, else your setup will fail. A good idea is to test the password in CertMgr UI creating an exportable key.


-- Daniel



Simple example pod definition



apiVersion: v1

kind: Pod

metadata:

name: domino-nashcom

namespace: default


spec:


imagePullSecrets:

  - name: regcred


- env:

    - name: LANG

      value: "en_US.UTF-8"


    - name: SetupAutoConfigure

      value: "1"


    - name: SERVERSETUP_SERVER_TYPE

      value: first


    - name: SERVERSETUP_ADMIN_FIRSTNAME

      value: "Daniel"


    - name: SERVERSETUP_ADMIN_LASTNAME

      value: "Nashed"


    - name: SERVERSETUP_ADMIN_PASSWORD

      value: "domino12rocks"


    - name: SERVERSETUP_ADMIN_IDFILEPATH

      value: "admin.id"


    - name: SERVERSETUP_NETWORK_HOSTNAME

      value: "domino12.dnug.eu"


    - name: SERVERSETUP_ORG_CERTIFIERPASSWORD

      value: "domino4rocks"


    - name: SERVERSETUP_SERVER_DOMAINNAME

      value: "NashCom"


    - name: SERVERSETUP_ORG_ORGNAME

      value: "NashCom"


    - name: SERVERSETUP_SERVER_NAME

      value: "domino12.dnug.eu"


    - name: SERVERSETUP_SERVER_SERVERTASKS

      value: "replica,router,update,amgr,adminp,http"


    - name: SERVERSETUP_SECURITY_ACL_PROHIBITANONYMOUSACCESS

      value: "true"


    - name: SERVERSETUP_SECURITY_TLSSETUP_METHOD

      value: "import"


    - name: SERVERSETUP_SECURITY_TLSSETUP_IMPORTFILEPATH

      value: "
/etc/domino/ssl/tls.pem"

    - name: SERVERSETUP_SECURITY_TLSSETUP_EXPORTPASSWORD

      value: "Domino14TLSExport42EXPORT"


  name: domino

  image: docker.io/nashcom/domino:latest


  ports:

    - containerPort: 443


  volumeMounts:

    - mountPath: "/etc/domino/ssl"

      name: domino-tls

      readOnly: true


restartPolicy: Always


volumes:

  - name: domino-tls

    secret:

      secretName: domino-tls

Comments
No Comments Found

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]