Configuring Trusted TLS Flashcards
Where are the certs used?
1) wildcard cert in ingress controller operator (all .apps subdomains)
2) API certificate.
3) Edge route that uses a wildcard certificate.
What are requirements for wildcard cert
1) PEM format
2) Extension subjectAltName with value: *.apps./OPENSHIFT-DOMAIN/
Changing the certificate used by the ingress controller operator does affect certificates signed by the internal OpenShift certificate authority. True or False
False
Steps to setup ingres controler cert
1) create a new ccm in the openshift-config namespace
2) Configure the cluster proxy to use the new cm
3) Create a new TLS secret in the openshift-ingress namespace
4) Modify the default ingress controller operator in the openshift-ingress-operator namespace so that defaultCertificate uses the newly created secret
Create a cm to setup ingres controler wildcard domain
oc create configmap <CONFIGMAP-NAME> \
--from-file ca-bundle.crt=<PATH-TO-CERTIFICATE> \
-n openshift-config</PATH-TO-CERTIFICATE></CONFIGMAP-NAME>
Configure cluster proxy to use a new cm to setup ingres controler wildcard domain
oc patch proxy/cluster –type=merge \
–patch=’{“spec”:{“trustedCA”:{“name”:”<CONFIGMAP-NAME>"}}}'</CONFIGMAP-NAME>
Create TLS secret to setup ingres controler wildcard domain
oc create secret tls <SECRET-NAME> \
--cert <PATH-TO-CERTIFICATE> \
--key <PATH-TO-KEY> \
-n openshift-ingress</PATH-TO-KEY></PATH-TO-CERTIFICATE></SECRET-NAME>
Modify the default ingress controller operator in the openshift-ingress-operator namespace so that defaultCertificate uses the newly created secret
oc patch ingresscontroller.operator/default \
-n openshift-ingress-operator –type=merge \
–patch=’{“spec”: {“defaultCertificate”: {“name”: “<SECRET-NAME>"}}}'</SECRET-NAME>
Check the progress of setting up ingres controller wildcard domain
watch oc get pods -n openshift-ingress
What is the impact of changing the OpenShift master API?
allows users to log in securely using the oc command
Requirements to change the master API certificate
1) PEM format.
2) The certificate is issued through master API, such as api.ocp4.example.com.
3) subjectAltName extension contains the URL used to access the master API, such as DNS: api.ocp4.example.com.
Steps to change the master API cert
1) Create TLS secret in the openshift-config namespace using the master API certificate and key
2) Modify the cluster API server to use the new secret
Check that master api change is taking effect
1) oc get clusteroperator/kube-apiserver
2) oc get pods -l app=openshift-kube-apiserver \
-n openshift-kube-apiserver”
Create TLS secret in the openshift-config namespace using the master API certificate and key
oc create secret tls <SECRET-NAME> \
--cert <PATH-TO-CERTIFICATE> \
--key <PATH-TO-KEY> \
-n openshift-config</PATH-TO-KEY></PATH-TO-CERTIFICATE></SECRET-NAME>
Modify the cluster API server to use the new secret
oc patch apiserver cluster –type=merge \
-p ‘{“spec”: {“servingCerts”: {“namedCertificates”:’\
‘[{“names”: [“<API-SERVER-URL>"],'\
'"servingCertificate": {"name": "<SECRET-NAME>"}}]}}}'</SECRET-NAME></API-SERVER-URL>
Configure your system can be to trust your enterprise CA
1) Copy your enterprise CA certificate to the /etc/pki/ca-trust/source/anchors
2) Run the update-ca-trust extract command
Why include the enterprise CA cert in a trusted CA bundle
Useful when apps running in OpenShift must communicate with URLs signed by your enterprise CA
By default, applications do trust the enterprise CA. True or False
False
How do you check if your enterprise CA cert is already included in the CA bundle?
1) oc get proxy/cluster \
-o jsonpath=’{.spec.trustedCA.name}{“\n”}’
<CONFIGMAP-NAME>
2) oc extract configmap <CONFIGMAP-NAME> \
-n openshift-config --confirm
</CONFIGMAP-NAME></CONFIGMAP-NAME>
You realize cm does not contain the enterprise CA certificate. what do you do?
1) Combine the wildcard cert and the enterprise CA cert in a new PEM file
2) Add comments, # Wildcard Cert above the wildcard cert and # Enterprise CA, above the enterprise CA cert
3) Replace the configuration map with the new cert
How do you replace the CA cert cm
oc set data configmap <CONFIGMAP-NAME> \
--from-file ca-bundle.crt=<PATH-TO-NEW-CERTIFICATE> -n openshift-config</PATH-TO-NEW-CERTIFICATE></CONFIGMAP-NAME>
How do you use the trusted CA bundle in a pod?
1) create an empty configuration map
2) label the cm with config.openshift.io/inject-trusted-cabundle=true label
3) Mount the cm into the pod:
oc set volume dc/<DC-NAME> -t configmap \
--name trusted-ca --add --read-only=true \
--mount-path /etc/pki/ca-trust/extracted/pem \
--configmap-name <CONFIGMAP-NAME></CONFIGMAP-NAME></DC-NAME>
4) edit the dc so the pod mounts the certificate bundle
edit the dc so the pod mounts the certificate bundle
verify that an app trusts certs signed by your enterprise CA
1) oc rsh hello-3-65qs7
2) ls /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
3) curl https://hello.apps.ocp4.example.com
Display the cluster proxy resource definition
oc get proxy/cluster -o yaml
Determine certs thst the cluster proxy trusts
oc get proxy/cluster -o yaml
Check trustedCA
ways to troubleshoot these certificates
1) review the resource via the web console
2) use the command-line interface,
3) use tools such as openssl
Typical cert admn tasks
1) monitoring of custom certificate expiry dates
2) renewal of certs before production is affected.
While adding a certificate for the API server, how do you monitor the status?
watch oc get clusteroperator/kube-apiserver
While adding a certificate for the API server, you get an error when watching api-server cluster operator. what do you do?
oc logout command followed by the oc login
procedure to determine expiry date of API Server Certificate
1) identify the name of the secret containing the certificate used by the API server:
oc get apiserver/cluster -o yaml
2) Extract the secret
oc extract secret/<SECRET-NAME> -n openshift-config --confirm</SECRET-NAME>
3) use the openssl to inspect the certificate
openssl x509 -in tls.crt -noout -dates
procedure to renew API Server cert
1) follow your company procedures to request a new certificate
2) CSR for the cert renewal must contain the subjectAltName extension for the URL used to access the API server, such as DNS:api.ocp4.example.com
3) renew the certificate in place
oc set data secret <SECRET-NAME> \
--from-file tls.crt=<PATH-TO-NEW-CERTIFICATE> \
--from-file tls.key=<PATH-TO-KEY> \
-n openshift-config</PATH-TO-KEY></PATH-TO-NEW-CERTIFICATE></SECRET-NAME>
What are some of the routes that OpenShift ingress controller manages?
OAuth, the web console, and Prometheus
renew the ingress controller certificate,
1) identify the name of the secret containing the cert used by the ingress controller.
2) Extract the secret
3) use openssl to verify the dates
identify the name of the secret containing the cert used by the ingress controller.
oc get ingresscontroller/default -n openshift-ingress-operator \
-o jsonpath=’{.spec.defaultCertificate.name}{“\n”}’
<SECRET-NAME>
</SECRET-NAME>
Extract the secret for ingress controller
oc extract secret/<SECRET-NAME> -n openshift-ingress --confirm</SECRET-NAME>
inspect the certificate
openssl x509 -in tls.crt -noout -dates
Certificate is not updating in the cluster, what do you need to check?
1) Use the openssl to check if new certificate is valid.
2) Verify that the notBefore date is in the past and the notAfter date is in the future.
3) compare the certificate serial numbers
compare the certificate serial number
1) oc get secret <SECRET-NAME> -n openshift-config \
-o jsonpath='{.data.}' | base64 -di | openssl x509 -noout -serial*</SECRET-NAME>
2) openssl x509 -in <PATH-TO-CERTIFICATE> -noout -serial</PATH-TO-CERTIFICATE>
The kube-apiserver pods do not redeploy after an in place certificate update. what to do?
oc get events –sort-by=’.lastTimestamp’ \
-n openshift-kube-apiserver
Troubleshooting Ingress Controller Certificates
oc get pods -n openshift-ingress
Extract validity dates for certs used by an API
curl -v -k \
https://console-openshift-console.apps.ocp4.example.com 2>&1 | \
grep -E ‘date|expired’
