allow easily consuming kubernetes TLS secrets

[ibotty]

Kubernetes TLS secrets have keys named tls.crt containing the certificate and tls.key containing the key. It would be great if the base image could get the certificates from the mounted files directly.

Would you consider a pull request adding this functionality?

[ibotty]

Just for others that want something similar, I amended the php image by adding the the following file in /usr/share/container-scripts/php/pre-start/99-kubernetes-tls-secret.sh.

#!/bin/bash
# /usr/share/container-scripts/php/pre-start/99-kubernetes-tls-secret.sh
# this is an adapted copy of process_ssl_certs in /usr/share/container-scripts/php/common.sh
process_kubernetes_tls_certs() {
  local dir
  dir="$1"
  if [ -d ${dir} ]; then
    echo "---> Looking for SSL certs for httpd in $dir ..."
    local ssl_cert="$dir/tls.crt"
    local ssl_private="$dir/tls.key"
    if [ -f "${ssl_cert}" ] ; then
      # do sed for SSLCertificateFile and SSLCertificateKeyFile
      echo "---> Setting SSL cert file for httpd..."
      sed -i -e "s|^SSLCertificateFile .*$|SSLCertificateFile ${ssl_cert}|" ${HTTPD_MAIN_CONF_D_PATH}/ssl.conf
      if [ -f "${ssl_private}" ]; then
        echo "---> Setting SSL key file for httpd..."
        sed -i -e "s|^SSLCertificateKeyFile .*$|SSLCertificateKeyFile ${ssl_private}|" ${HTTPD_MAIN_CONF_D_PATH}/ssl.conf
      else
        echo "---> Removing SSL key file settings for httpd..."
        sed -i '/^SSLCertificateKeyFile .*/d'  ${HTTPD_MAIN_CONF_D_PATH}/ssl.conf
      fi
    fi
  fi
}

enable_http2() {
  if [ "${ENABLE_HTTP2:-}" = yes ]; then
    sed -i '/<VirtualHost.*:8443>/aProtocols h2 h2c http/1.1' ${HTTPD_MAIN_CONF_D_PATH}/ssl.conf
  fi
}

process_kubernetes_tls_certs "${HTTPD_CERT_DIR:=/run/secrets/tls-certs}"
enable_http2