Add a guide on how to add a CA to pod or serverless workflow

Fixes: apache#610 Signed-off-by: Roy Golan <[email protected]>
rgolangh · Apr 3, 2024 · ecf0504 · ecf0504
1 parent 83bb557
commit ecf0504
Showing 1 changed file with 19 additions and 16 deletions.
diff --git a/...workflow/modules/ROOT/pages/cloud/operator/add-custom-ca-to-a-workflow-pod.adoc b/...workflow/modules/ROOT/pages/cloud/operator/add-custom-ca-to-a-workflow-pod.adoc
@@ -25,7 +25,8 @@ For the purpose of this guide we would take the k8s cluster root CA that is auto
 
 Add or amend this volumes and init-container snippet to your pod spec or podTemplate in a deployment:
 
-```yaml
+=======
+---
 spec:
   volumes:
     - name: new-cacerts
@@ -35,26 +36,27 @@ spec:
       image: registry.access.redhat.com/ubi9/openjdk-17
       volumeMounts:
         - mountPath: /opt/new-cacerts
-          name: new-cacerts 
+          name: new-cacerts
       command:
         - /bin/bash
         - -c
         - |
           cp $JAVA_HOME/lib/security/cacerts /opt/new-cacerts/
           chmod +w /opt/new-cacerts/cacerts
-          keytool -importcert -no-prompt -keystore /opt/new-cacerts/cacerts -storepass changeit -file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 
-```
+          keytool -importcert -no-prompt -keystore /opt/new-cacerts/cacerts -storepass changeit -file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+---
 
 The default keystore under `$JAVA_HOME` is part of the container image and is not mutable. We have to create the mutated copy to a shared volume, hence the 'new-cacerts' one.
 
 === Step 3: Configure Java to load the new keystore
 
 Here we would just mount the new, modified cacerts into the default location where the JVM looks at.
-The example mainly uses the standard http client so alternatively we could mount the cacerts to a different location and
+The Main.java example uses the standard http client so alternatively we could mount the cacerts to a different location and
 configure the Java runtime to load the new keystore with a system property `-Djavax.net.ssl.trustStore`.
 Note that libraries like resteasy don't respect that flag and may need to programmatically set the trust store location.
 
-```yaml
+[source,yaml]
+---
  containers:
    - command:
      - /bin/bash
@@ -72,14 +74,15 @@ Note that libraries like resteasy don't respect that flag and may need to progra
        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
          name: kube-api-access-5npmd
          readOnly: true
-```
+---
 
 Notice the volume mount of the previously mutated keystore.
 
 
 === Full working example
 
-```yaml
+[source,yaml]
+---
 apiVersion: v1
 kind: Pod
 metadata:
@@ -90,14 +93,14 @@ spec:
       image: registry.access.redhat.com/ubi9/openjdk-17
       volumeMounts:
         - mountPath: /opt/new-cacerts
-          name: new-cacerts 
+          name: new-cacerts
       command:
         - /bin/bash
         - -c
         - |
           cp $JAVA_HOME/lib/security/cacerts /opt/new-cacerts/
           chmod +w /opt/new-cacerts/cacerts
-          keytool -importcert -no-prompt -keystore /opt/new-cacerts/cacerts -storepass changeit -file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 
+          keytool -importcert -no-prompt -keystore /opt/new-cacerts/cacerts -storepass changeit -file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
   containers:
     - command:
       - /bin/bash
@@ -128,15 +131,16 @@ spec:
           - key: ca.crt
             path: ca.crt
           name: kube-root-ca.crt
-```
+---
 
 === {product_name} Example
 
-Similar to a deployment spec, a workflow has a spec.podTemplate, with minor differences, but the change is almost identical.
-In this case we are mounting some ingress CA bundle because we want our workflow to reach the `.apps.my-cluster-name.my-cluster-domain` SSL endpoint.
+Similar to a deployment spec, a serverless workflow has a spec.podTemplate, with minor differences, but the change is almost identical.
+In this case we are mounting some ingress ca bundle because we want our workflow to reach the `.apps.my-cluster-name.my-cluster-domain` SSL endpoint.
 Here is the relevant spec section of a workflow with the changes:
 
-```yaml
+[source,yaml]
+---
 #...
 spec:
   flow:
@@ -177,12 +181,11 @@ spec:
             - key: ca.crt
               path: ca.crt
             name: kube-root-ca.crt
-```
+---
 
 == Additional Resources
 
 * Keytool documentation: {keytool-docs}
-* Example of a podSpec with certificate initialization: https://gist.githubusercontent.com/rgolangh/90fa261c3a6a12bc1dbe89fa3ad4842b/raw/4875aeb353d47b471c453452e4862a1509161c88/pods-with-cert-init.yaml
 * Dynamically Creating Java keystores OpenShift - Blog Post: https://developers.redhat.com/blog/2017/11/22/dynamically-creating-java-keystores-openshift#end_to_end_springboot_demo