Use the following sections to set up additional certifying authorities (CA).

In general, a cluster administrator creates a ConfigMap and adds additional CAs.

  • Each CA must be associated with a domain. Domain format is hostname[..port].

  • domain is the key in the ConfigMap; value is the PEM-encoded certificate.

  • The ConfigMap name must be set in the build.config.openshift.io/cluster.

Understanding ConfigMaps

Many applications require configuration using some combination of configuration files, command line arguments, and environment variables. These configuration artifacts are decoupled from image content in order to keep containerized applications portable.

The ConfigMap object provides mechanisms to inject containers with configuration data while keeping containers agnostic of OpenShift Container Platform. A ConfigMap can be used to store fine-grained information like individual properties or coarse-grained information like entire configuration files or JSON blobs.

The ConfigMap API object holds key-value pairs of configuration data that can be consumed in pods or used to store configuration data for system components such as controllers. ConfigMap is similar to secrets, but designed to more conveniently support working with strings that do not contain sensitive information. For example:

ConfigMap Object Definition
kind: ConfigMap
apiVersion: v1
metadata:
  creationTimestamp: 2016-02-18T19:14:38Z
  name: example-config
  namespace: default
data: (1)
  example.property.1: hello
  example.property.2: world
  example.property.file: |-
    property.1=value-1
    property.2=value-2
    property.3=value-3
binaryData:
  bar: L3Jvb3QvMTAw (2)
1 Contains the configuration data.
2 Points to a file that contains non-UTF8 data, for example, a binary Java keystore file. Enter the file data in Base 64.

You can use the binaryData field when you create a ConfigMap from a binary file, such as an image.

Configuration data can be consumed in pods in a variety of ways. A ConfigMap can be used to:

  1. Populate the value of environment variables.

  2. Set command-line arguments in a container.

  3. Populate configuration files in a volume.

Both users and system components can store configuration data in a ConfigMap.

Creating a ConfigMap

You can use the following command to create a ConfigMap from directories, specific files, or literal values.

Procedure
  • Create a ConfigMap:

$ oc create configmap <configmap_name> [options]

Adding certifying authorities to a ConfigMap

You can add certifying authorities (CAs) to a ConfigMap with the following procedure.

Prerequisites
  • You must have cluster administrator privileges.

  • You must have access to the registry’s public certificates, usually a hostname/ca.crt file located in the /etc/docker/certs.d/ directory.

Procedure
  1. Create a ConfigMap in the openshift-config namespace containing the trusted certificates for the registries that use self-signed certificates. For each CA file, ensure the key in the ConfigMap is the registry’s hostname in the hostname[..port] format:

    $ oc create configmap registry-cas -n openshift-config \
    --from-file=myregistry.corp.com..5000=/etc/docker/certs.d/myregistry.corp.com:5000/ca.crt \
    --from-file=otherregistry.com=/etc/docker/certs.d/otherregistry.com/ca.crt
  2. Update the cluster image figuration:

    $ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge