October 20, 2022

OpenShift 4.6 Automation and Integration: Configure trusted TLS Certificates

3.1. Replacing the default ingress certificate

https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html-single/security_and_compliance/index#replacing-default-ingress

subjectAltName: DNS:*.apps.<cluster_name>.<base_domain> 

$ cat ingress.pem ca.pem > ingress-chain.pem

Create a config map that includes only the root CA certificate used to sign the wildcard certificate:

$ oc create configmap custom-ca \
     --from-file=ca-bundle.crt=ca.pem \
     -n openshift-config

Update the cluster-wide proxy configuration with the newly created config map:

$ oc patch proxy/cluster \
     --type=merge \
     --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'

Create a secret that contains the wildcard certificate chain and key:

$ oc create secret tls custom-ingress \
     --cert=ingress-chain.pem \
     --key=</path/to/cert.key> \
     -n openshift-ingress

Update the Ingress Controller configuration with the newly created secret:

$ oc patch ingresscontroller.operator default \
     --type=merge -p \
     '{"spec":{"defaultCertificate": {"name": "custom-ingress"}}}' \
     -n openshift-ingress-operator

$ watch oc get pods -n openshift-ingress

Adding API server certificates

https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html-single/security_and_compliance/index#api-server-certificates

subjectAltName: DNS:api.<cluster_name>.<base_domain>

$ cat api.pem ca.pem > api-chain.pem

Create a secret that contains the certificate chain and private key in the openshift-config namespace.

$ oc create secret tls custom-api \
     --cert=api-chain.pem \
     --key=</path/to/cert.key> \
     -n openshift-config

Update the API server to reference the created secret.

$ oc patch apiserver cluster \
     --type=merge -p \
     '{"spec":{"servingCerts": {"namedCertificates":
     [{"names": ["<FQDN>"], 1
     "servingCertificate": {"name": "custom-api"}}]}}}'

$ oc get clusteroperators kube-apiserver

$ oc get events --sort-by='.lastTimestamp' -n openshift-kube-apiserver

Replacing the CA Bundle certificate

https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html-single/security_and_compliance/index#ca-bundle-replacing_updating-ca-bundle

See above "Update the cluster-wide proxy configuration with the newly created config map:"

Certificate injection using Operators

https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html-single/networking/index#certificate-injection-using-operators_configuring-a-custom-pki

$ oc create configmap trusted-ca -n my-example-custom-ca-ns

$ oc label configmap trusted-ca \
  config.openshift.io/inject-trusted-cabundle=true -n my-example-custom-ca-ns

Add the lines in bold so that the pod mounts the certificate bundle at /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-example-custom-ca-deployment
  namespace: my-example-custom-ca-ns
spec:
  ...
    spec:
      ...
      containers:
        - name: my-container-that-needs-custom-ca
          volumeMounts:
          - name: trusted-ca
            mountPath: /etc/pki/ca-trust/extracted/pem
            readOnly: true
      volumes:
      - name: trusted-ca
        configMap:
          name: trusted-ca
          items:
            - key: ca-bundle.crt
              path: tls-ca-bundle.pem
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)