I’d like to access the Infrastructure -> Certificates store to install stored certs on a one of my services.
I found this post Alarms in rancher that show setting some magic labels to get rancher to set api creds as environment variables. From there I found the certificates endpoint in the api (/v1/projects/nnn/certificates), but it doesn’t list the keys.
Is there some way to get the keys for the certificates, or a better method?
If its not listing them is for security, there’s really no point in hiding them from any user role that can shell into the lb containers. From there you can read them in /etc/haproxy/certs.
Upgrading soon to 1.0, but currently on:
Rancher v0.63.1
Cattle v0.155.1
User Interface v0.95.0
Rancher Compose v0.7.2
The keys are write-only in the API. Being able to find a way to get the key through launching a balancer, execing and inspecting files is very different than offering them up on a platter and always broadcasting them to the API & UI.
If we were to do anything about this it would probably be something like a flag, writable only on create, that sets whether the key should be readable or not for that specific certificate resource.
Thanks for the links, but the only workaround listed was running letsencrypt, which I don’t think I can use my current certificates with.
Although it’s possible, because the LoadBalancer service containers have access, there doesn’t look like there’s a way for us mere mortals to access the full key and certs.
As a workaround I populated my key and cert chain in metadata via a custom rancher catalog. Then in my entrypoint script I save metadata to a file my haproxy install can consume.
Definitely not as clean as using the cert store would be, but it will get me going for now.