Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

EX380 > Configuring Trusted TLS > Flashcards

Configuring Trusted TLS Flashcards

1
Q

Where are the certs used?

A

1) wildcard cert in ingress controller operator (all .apps subdomains)
2) API certificate.
3) Edge route that uses a wildcard certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are requirements for wildcard cert

A

1) PEM format
2) Extension subjectAltName with value: *.apps./OPENSHIFT-DOMAIN/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Changing the certificate used by the ingress controller operator does affect certificates signed by the internal OpenShift certificate authority. True or False

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Steps to setup ingres controler cert

A

1) create a new ccm in the openshift-config namespace
2) Configure the cluster proxy to use the new cm
3) Create a new TLS secret in the openshift-ingress namespace
4) Modify the default ingress controller operator in the openshift-ingress-operator namespace so that defaultCertificate uses the newly created secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Create a cm to setup ingres controler wildcard domain

A

oc create configmap <CONFIGMAP-NAME> \
--from-file ca-bundle.crt=<PATH-TO-CERTIFICATE> \
-n openshift-config</PATH-TO-CERTIFICATE></CONFIGMAP-NAME>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Configure cluster proxy to use a new cm to setup ingres controler wildcard domain

A

oc patch proxy/cluster –type=merge \
–patch=’{“spec”:{“trustedCA”:{“name”:”<CONFIGMAP-NAME>"}}}'</CONFIGMAP-NAME>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Create TLS secret to setup ingres controler wildcard domain

A

oc create secret tls <SECRET-NAME> \
--cert <PATH-TO-CERTIFICATE> \
--key <PATH-TO-KEY> \
-n openshift-ingress</PATH-TO-KEY></PATH-TO-CERTIFICATE></SECRET-NAME>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Modify the default ingress controller operator in the openshift-ingress-operator namespace so that defaultCertificate uses the newly created secret

A

oc patch ingresscontroller.operator/default \
-n openshift-ingress-operator –type=merge \
–patch=’{“spec”: {“defaultCertificate”: {“name”: “<SECRET-NAME>"}}}'</SECRET-NAME>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Check the progress of setting up ingres controller wildcard domain

A

watch oc get pods -n openshift-ingress

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the impact of changing the OpenShift master API?

A

allows users to log in securely using the oc command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Requirements to change the master API certificate

A

1) PEM format.
2) The certificate is issued through master API, such as api.ocp4.example.com.
3) subjectAltName extension contains the URL used to access the master API, such as DNS: api.ocp4.example.com.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Steps to change the master API cert

A

1) Create TLS secret in the openshift-config namespace using the master API certificate and key
2) Modify the cluster API server to use the new secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Check that master api change is taking effect

A

1) oc get clusteroperator/kube-apiserver
2) oc get pods -l app=openshift-kube-apiserver \
-n openshift-kube-apiserver”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Create TLS secret in the openshift-config namespace using the master API certificate and key

A

oc create secret tls <SECRET-NAME> \
--cert <PATH-TO-CERTIFICATE> \
--key <PATH-TO-KEY> \
-n openshift-config</PATH-TO-KEY></PATH-TO-CERTIFICATE></SECRET-NAME>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Modify the cluster API server to use the new secret

A

oc patch apiserver cluster –type=merge \
-p ‘{“spec”: {“servingCerts”: {“namedCertificates”:’\
‘[{“names”: [“<API-SERVER-URL>"],'\
'"servingCertificate": {"name": "<SECRET-NAME>"}}]}}}'</SECRET-NAME></API-SERVER-URL>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Configure your system can be to trust your enterprise CA

A

1) Copy your enterprise CA certificate to the /etc/pki/ca-trust/source/anchors
2) Run the update-ca-trust extract command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Why include the enterprise CA cert in a trusted CA bundle

A

Useful when apps running in OpenShift must communicate with URLs signed by your enterprise CA

18
Q

By default, applications do trust the enterprise CA. True or False

A

False

19
Q

How do you check if your enterprise CA cert is already included in the CA bundle?

A

1) oc get proxy/cluster \
-o jsonpath=’{.spec.trustedCA.name}{“\n”}’

<CONFIGMAP-NAME>

2) oc extract configmap <CONFIGMAP-NAME> \
-n openshift-config --confirm
</CONFIGMAP-NAME></CONFIGMAP-NAME>

20
Q

You realize cm does not contain the enterprise CA certificate. what do you do?

A

1) Combine the wildcard cert and the enterprise CA cert in a new PEM file
2) Add comments, # Wildcard Cert above the wildcard cert and # Enterprise CA, above the enterprise CA cert
3) Replace the configuration map with the new cert

21
Q

How do you replace the CA cert cm

A

oc set data configmap <CONFIGMAP-NAME> \
--from-file ca-bundle.crt=<PATH-TO-NEW-CERTIFICATE> -n openshift-config</PATH-TO-NEW-CERTIFICATE></CONFIGMAP-NAME>

22
Q

How do you use the trusted CA bundle in a pod?

A

1) create an empty configuration map
2) label the cm with config.openshift.io/inject-trusted-cabundle=true label
3) Mount the cm into the pod:

oc set volume dc/<DC-NAME> -t configmap \
--name trusted-ca --add --read-only=true \
--mount-path /etc/pki/ca-trust/extracted/pem \
--configmap-name <CONFIGMAP-NAME></CONFIGMAP-NAME></DC-NAME>

4) edit the dc so the pod mounts the certificate bundle

23
Q

edit the dc so the pod mounts the certificate bundle

A
24
Q

verify that an app trusts certs signed by your enterprise CA

A

1) oc rsh hello-3-65qs7
2) ls /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
3) curl https://hello.apps.ocp4.example.com

25
Q

Display the cluster proxy resource definition

A

oc get proxy/cluster -o yaml

26
Q

Determine certs thst the cluster proxy trusts

A

oc get proxy/cluster -o yaml

Check trustedCA

27
Q

ways to troubleshoot these certificates

A

1) review the resource via the web console
2) use the command-line interface,
3) use tools such as openssl

28
Q

Typical cert admn tasks

A

1) monitoring of custom certificate expiry dates
2) renewal of certs before production is affected.

29
Q

While adding a certificate for the API server, how do you monitor the status?

A

watch oc get clusteroperator/kube-apiserver

30
Q

While adding a certificate for the API server, you get an error when watching api-server cluster operator. what do you do?

A

oc logout command followed by the oc login

31
Q

procedure to determine expiry date of API Server Certificate

A

1) identify the name of the secret containing the certificate used by the API server:
oc get apiserver/cluster -o yaml

2) Extract the secret

oc extract secret/<SECRET-NAME> -n openshift-config --confirm</SECRET-NAME>

3) use the openssl to inspect the certificate
openssl x509 -in tls.crt -noout -dates

32
Q

procedure to renew API Server cert

A

1) follow your company procedures to request a new certificate
2) CSR for the cert renewal must contain the subjectAltName extension for the URL used to access the API server, such as DNS:api.ocp4.example.com
3) renew the certificate in place

oc set data secret <SECRET-NAME> \
--from-file tls.crt=<PATH-TO-NEW-CERTIFICATE> \
--from-file tls.key=<PATH-TO-KEY> \
-n openshift-config</PATH-TO-KEY></PATH-TO-NEW-CERTIFICATE></SECRET-NAME>

33
Q

What are some of the routes that OpenShift ingress controller manages?

A

OAuth, the web console, and Prometheus

34
Q

renew the ingress controller certificate,

A

1) identify the name of the secret containing the cert used by the ingress controller.
2) Extract the secret

3) use openssl to verify the dates

35
Q

identify the name of the secret containing the cert used by the ingress controller.

A

oc get ingresscontroller/default -n openshift-ingress-operator \
-o jsonpath=’{.spec.defaultCertificate.name}{“\n”}’

<SECRET-NAME>
</SECRET-NAME>

36
Q

Extract the secret for ingress controller

A

oc extract secret/<SECRET-NAME> -n openshift-ingress --confirm</SECRET-NAME>

37
Q

inspect the certificate

A

openssl x509 -in tls.crt -noout -dates

38
Q

Certificate is not updating in the cluster, what do you need to check?

A

1) Use the openssl to check if new certificate is valid.

2) Verify that the notBefore date is in the past and the notAfter date is in the future.

3) compare the certificate serial numbers

39
Q

compare the certificate serial number

A

1) oc get secret <SECRET-NAME> -n openshift-config \
-o jsonpath='{.data.}' | base64 -di | openssl x509 -noout -serial*</SECRET-NAME>

2) openssl x509 -in <PATH-TO-CERTIFICATE> -noout -serial</PATH-TO-CERTIFICATE>

40
Q

The kube-apiserver pods do not redeploy after an in place certificate update. what to do?

A

oc get events –sort-by=’.lastTimestamp’ \
-n openshift-kube-apiserver

41
Q

Troubleshooting Ingress Controller Certificates

A

oc get pods -n openshift-ingress

42
Q

Extract validity dates for certs used by an API

A

curl -v -k \
https://console-openshift-console.apps.ocp4.example.com 2>&1 | \
grep -E ‘date|expired’

EX380 (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions