From 41f53eaf894d645340e755f0e4acb617dab55d24 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Tue, 3 Nov 2020 18:31:03 +0800 Subject: [PATCH] Add missing part on manually renew the metrics-server cert (#1042) * Add missing part on manually renew the metrics-server cert Signed-off-by: JenTing Hsiao * Add wording changes from review Co-authored-by: Markus Napp --- adoc/admin-security-certificates.adoc | 82 ++++++++++++++++++++++----- 1 file changed, 68 insertions(+), 14 deletions(-) diff --git a/adoc/admin-security-certificates.adoc b/adoc/admin-security-certificates.adoc index 0cb88647e..0906ec823 100644 --- a/adoc/admin-security-certificates.adoc +++ b/adoc/admin-security-certificates.adoc @@ -1052,19 +1052,17 @@ In the admin node, regenerate the certificates: + [source,bash] ---- -mkdir -p my-cluster/pki.bak -kubectl get secret oidc-dex-cert -n kube-system -o yaml | tee my-cluster/pki.bak/oidc-dex-cert.yaml > /dev/null - -cat my-cluster/pki.bak/oidc-dex-cert.yaml | grep tls.crt | awk '{print $2}' | base64 --decode | tee my-cluster/pki.bak/oidc-dex.crt > /dev/null -cat my-cluster/pki.bak/oidc-dex-cert.yaml | grep tls.key | awk '{print $2}' | base64 --decode | tee my-cluster/pki.bak/oidc-dex.key > /dev/null +mkdir -p /pki.bak +kubectl get secret oidc-dex-cert -n kube-system -o "jsonpath={.data['tls\.crt']}" | base64 --decode | tee /pki.bak/oidc-dex.crt > /dev/null +kubectl get secret oidc-dex-cert -n kube-system -o "jsonpath={.data['tls\.key']}" | base64 --decode | tee /pki.bak/oidc-dex.key > /dev/null ---- . Get the original SAN IP address(es) and DNS(s), run: + [source,bash] ---- -openssl x509 -noout -text -in /etc/kubernetes/pki.bak/oidc-dex.crt | grep -oP '(?<=IP Address:)[^,]+' -openssl x509 -noout -text -in /etc/kubernetes/pki.bak/oidc-dex.crt | grep -oP '(?<=DNS:)[^,]+' +openssl x509 -noout -text -in /pki.bak/oidc-dex.crt | grep -oP '(?<=IP Address:)[^,]+' +openssl x509 -noout -text -in /pki.bak/oidc-dex.crt | grep -oP '(?<=DNS:)[^,]+' ---- . Sign the `oidc-dex` server certificate with the default kubernetes CA certificate _or_ trusted CA certificate. @@ -1110,19 +1108,17 @@ kubectl rollout restart deployment/oidc-dex -n kube-system + [source,bash] ---- -mkdir -p my-cluster/pki.bak -kubectl get secret oidc-gangway-cert -n kube-system -o yaml | tee my-cluster/pki.bak/oidc-gangway-cert.yaml > /dev/null - -cat my-cluster/pki.bak/oidc-gangway-cert.yaml | grep tls.crt | awk '{print $2}' | base64 --decode | tee my-cluster/pki.bak/oidc-gangway.crt > /dev/null -cat my-cluster/pki.bak/oidc-gangway-cert.yaml | grep tls.key | awk '{print $2}' | base64 --decode | tee my-cluster/pki.bak/oidc-dgangwayex.key > /dev/null +mkdir -p /pki.bak +kubectl get secret oidc-gangway-cert -n kube-system -o "jsonpath={.data['tls\.crt']}" | base64 --decode | tee /pki.bak/oidc-gangway.crt > /dev/null +kubectl get secret oidc-gangway-cert -n kube-system -o "jsonpath={.data['tls\.key']}" | base64 --decode | tee /pki.bak/oidc-gangway.key > /dev/null ---- . Get the original SAN IP address(es) and DNS(s), run: + [source,bash] ---- -openssl x509 -noout -text -in /etc/kubernetes/pki.bak/oidc-gangway.crt | grep -oP '(?<=IP Address:)[^,]+' -openssl x509 -noout -text -in /etc/kubernetes/pki.bak/oidc-gangway.crt | grep -oP '(?<=DNS:)[^,]+' +openssl x509 -noout -text -in /pki.bak/oidc-gangway.crt | grep -oP '(?<=IP Address:)[^,]+' +openssl x509 -noout -text -in /pki.bak/oidc-gangway.crt | grep -oP '(?<=DNS:)[^,]+' ---- . Sign the `oidc-gangway` server certificate with the default kubernetes CA certificate _or_ trusted CA certificate. @@ -1162,6 +1158,64 @@ kubectl replace -f oidc-gangway-cert.yaml kubectl rollout restart deployment/oidc-gangway -n kube-system ---- +* Replace the `metrics-server` server certificate: ++ +. Backup the original `metrics-server` server certificate and key from secret resource. ++ +[source,bash] +---- +mkdir -p /pki.bak +kubectl get secret metrics-server-cert -n kube-system -o "jsonpath={.data['tls\.crt']}" | base64 --decode | tee /pki.bak/metrics-server.crt > /dev/null +kubectl get secret metrics-server-cert -n kube-system -o "jsonpath={.data['tls\.key']}" | base64 --decode | tee /pki.bak/metrics-server.key > /dev/null +---- + +. Get the O/OU/CN, run: ++ +[source,bash] +---- +openssl x509 -noout -subject -in /pki.bak/metrics-server.crt +---- + +. Get the original SAN IP address(es) and DNS(s), run: ++ +[source,bash] +---- +openssl x509 -noout -text -in /pki.bak/metrics-server.crt | grep -oP '(?<=IP Address:)[^,]+' +openssl x509 -noout -text -in /pki.bak/metrics-server.crt | grep -oP '(?<=DNS:)[^,]+' +---- + +. Sign the `metrics-server-cert` server certificate with the default {kube} CA certificate ++ +Please refer to <> on how to sign the self signed server certificate. The default {kube} CA certificate and key are located at `/etc/kubernetes/pki/ca.crt` and `/etc/kubernetes/pki/ca.key`. The `server.conf` for O/OU/CN _must be_ the same as original one, `IP.1` is the original SAN IP address if present, `DNS.1` is the original SAN DNS if present. + +. Import your certificate into the {kube} cluster. +The CA certificates is ``, server certificate and key are `` and ``. + +. Create a secret manifest file `oidc-metrics-server-cert.yaml` and update the secret data `ca.crt`, `tls.crt`, and `tls.key` with base64; encoded with CA certificate, signed `metrics-server` server certificate and key respectively. ++ +---- +apiVersion: v1 +kind: Secret +metadata: + name: metrics-server-cert + namespace: kube-system + labels: + caasp.suse.com/skuba-addon: "true" +type: kubernetes.io/tls +data: + ca.crt: cat | base64 | awk '{print}' ORS='' && echo + tls.crt: cat | base64 | awk '{print}' ORS='' && echo + tls.key: cat | base64 | awk '{print}' ORS='' && echo +---- + +. Apply the secret manifest file and restart `metrics-server` pods. ++ +[source,bash] +---- +kubectl replace -f metrics-server-cert.yaml +kubectl rollout restart deployment/metrics-server -n kube-system +---- + == How To Generate Certificates [[trusted_signed_certificate]]