Red Hat SummitChapter 3. Reissuing internal certificates
Each component of Red Hat Advanced Cluster Security for Kubernetes uses an X.509 certificate to authenticate itself to other components. These certificates have expiration dates, and you must reissue, or rotate, certificates before they expire. You can view the certificate expiration dates by selecting Platform Configuration
3.1. Reissuing internal certificates for Central
Central uses a built-in server certificate for authentication when communicating with other Red Hat Advanced Cluster Security for Kubernetes services. This certificate is unique to your Central installation. The RHACS portal shows an information banner when the Central certificate is about to expire.
The information banner only appears 15 days before the certificate expiration date.
For Operator-based installations, beginning with RHACS version 4.3.4, the Operator will automatically rotate all Central components' service transport layer security (TLS) certificates 6 months before they expire. The following conditions apply:
-
The rotation of certificates in the secrets does not trigger the components to automatically reload them. However, reloads typically occur when the pod is replaced as part of an RHACS upgrade or as a result of node reboots. If neither of those events happens at least every 6 months, you must restart the pods before the old (in-memory) service certificates expire. For example, you can delete the pods with an
applabel that contains one of the values ofcentral,central-db,scanner, orscanner-db. - CA certificates are not updated. They are valid for 5 years.
For non-Operator based installations, you must manually rotate TLS certificates. Instructions for manually rotating certificates are included in the following section.
Prerequisites
-
To reissue, or rotate, certificates, you must have
writepermission for theAdministrationresource.
Procedure
- In the RHACS portal, click on the link in the banner that announces the certificate expiration to download a YAML configuration file, which contains a new secret. The secret includes the certificate and key values.
Apply the new YAML configuration file to the cluster where you have installed Central by running the following command:
oc apply -f <secret_file.yaml>
$ oc apply -f <secret_file.yaml>Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Restart Central to apply the changes.
3.1.1. Restarting the Central container
You can restart the Central container by killing the Central container or by deleting the Central pod.
Procedure
Run the following command to kill the Central container:
NoteYou must wait for at least 1 minute, until OpenShift Container Platform propagates your changes and restarts the Central container.
oc -n stackrox exec deploy/central -c central -- kill 1
$ oc -n stackrox exec deploy/central -c central -- kill 1Copy to Clipboard Copied! Toggle word wrap Toggle overflow Or, run the following command to delete the Central pod:
oc -n stackrox delete pod -lapp=central
$ oc -n stackrox delete pod -lapp=centralCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.2. Reissuing internal certificates for Scanner
Scanner has a built-in certificate that it uses to communicate with Central.
The RHACS portal shows an information banner when the Scanner certificate is about to expire.
The information banner only appears 15 days before the certificate expiry date.
Prerequisites
-
To reissue certificates, you must have
writepermission for theAdministrationresource.
Procedure
- Click on the link in the banner to download a YAML configuration file, which contains a new OpenShift Container Platform secret, including the certificate and key values.
Apply the new YAML configuration file to the cluster where you installed Scanner.
oc apply -f <secret_file.yaml>
$ oc apply -f <secret_file.yaml>Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Restart Scanner to apply the changes.
3.2.1. Restarting the Scanner and Scanner DB containers
You can restart the Scanner and Scanner DB container by deleting the pods.
Procedure
To delete the Scanner and Scanner DB pods, run the following command:
On OpenShift Container Platform:
oc delete pod -n stackrox -l app=scanner; oc -n stackrox delete pod -l app=scanner-db
$ oc delete pod -n stackrox -l app=scanner; oc -n stackrox delete pod -l app=scanner-dbCopy to Clipboard Copied! Toggle word wrap Toggle overflow On Kubernetes:
kubectl delete pod -n stackrox -l app=scanner; kubectl -n stackrox delete pod -l app=scanner-db
$ kubectl delete pod -n stackrox -l app=scanner; kubectl -n stackrox delete pod -l app=scanner-dbCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3. Reissuing internal certificates for secured clusters
Secured clusters contain the Collector, Sensor, Admission Control, and local Scanner components. These components communicate with each other, and with Central by using certificates.
Choose the appropriate method to reissue the internal certificates:
- Use the automatic certificate renewal feature. This is the recommended method for Operator and Helm deployments.
-
Create, download, and install an init bundle on the secured cluster. You must have the
Adminuser role to create an init bundle. This method is only recommended for Operator and Helm deployments if the certificates have already expired and the secured cluster can no longer connect to Central. -
Use the automatic upgrades feature, which is only available for static manifest deployments by using the
roxctlCLI. This method is only recommended if you have a specific installation requirement that necessitates the use of this method.
3.3.1. Reissuing internal certificates for secured clusters by using automatic certificate renewal
Secured clusters contain the Collector, Sensor, Admission Control, and local Scanner components. You can reissue internal certificates for these components by using automatic certificate renewal.
TLS certificates are automatically renewed several months in advance but are only loaded when RHACS pods restart, for example, during an upgrade.
3.3.1.1. Verifying the status of automatic certificate renewal
By viewing the Clusters page, you can verify that the automatic certificate renewal is active.
Procedure
-
In the RHACS portal, click Platform Configuration
Clusters. - Verify that Auto-refresh enabled appears in the Credential Expiration column.
If a secured cluster displays a warning about soon-to-expire credentials even though auto-refresh is enabled, you must manually restart the pods of the affected cluster to apply the latest certificates and prevent downtime.
For more information, see "Applying the latest internal certificates".
3.3.1.2. Applying the latest internal certificates
By manually restarting the pods of the affected cluster, you can apply the latest certificates and prevent downtime.
Prerequisites
-
You have
writepermission for theAdministrationresource.
Procedure
To manually restart the pods of the affected cluster, run the following command:
oc -n <namespace> delete pods --all
$ oc -n <namespace> delete pods --all1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- The namespace where you installed the secured cluster. For example,
stackrox.If you use Kubernetes, use
kubectlinstead ofoc.
3.3.2. Reissuing internal certificates for secured clusters by using init bundles
Secured clusters contain the Collector, Sensor, Admission Control, and local Scanner components. These components use a built-in server certificate for authentication when communicating with other Red Hat Advanced Cluster Security for Kubernetes (RHACS) components.
The RHACS portal shows an information banner when the Central certificate is about to expire.
The information banner only appears 15 days before the certificate expiry date.
Prerequisites
-
You have
writepermission for theAdministrationresource. -
You have the
Adminuser role to create init bundles.
Store the init bundle securely because it contains secrets. You can use the same bundle on multiple secured clusters.
Procedure
Choose the appropriate method to generate an init bundle:
To generate an init bundle by using the user interface (UI), perform the following steps:
-
In the RHACS portal, click Platform Configuration
Clusters. - Click Init bundles.
- To create a new init bundle, click Create bundle.
- Enter a name for the cluster init bundle.
Choose the appropriate platform of the secured clusters:
The following values are associated with the platform of the secured clusters:
-
OpenShift -
EKS -
AKS -
GKE
-
Choose the appropriate installation method for the secured cluster services from the drop-down list:
The following values are associated with the installation method for the secured cluster services:
-
Operator (recommended) -
Helm chart
-
Click Download.
ImportantYou can only download the YAML file once when you create an init bundle. Store the YAML file securely because it contains secrets.
-
In the RHACS portal, click Platform Configuration
To generate an init bundle by using the
roxctlCLI, run the following command:roxctl -e <endpoint> -p <admin_password> central \ init-bundles generate --output-secrets <bundle_name> \ init-bundle.yaml
$ roxctl -e <endpoint> -p <admin_password> central \ init-bundles generate --output-secrets <bundle_name> \ init-bundle.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
To create the necessary resources on each secured cluster, run the following command:
oc -n stackrox apply -f <init-bundle.yaml>
$ oc -n stackrox apply -f <init-bundle.yaml>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3.3. Reissuing internal certificates for secured clusters by using automatic upgrades
Secured clusters contain the Collector, Sensor, Admission Control, and local Scanner components. You can reissue internal certificates for these components by using automatic upgrades.
Automatic upgrades are only applicable to static manifest-based deployments by using the roxctl CLI.
For more information, see "Install Central using the roxctl CLI".
Prerequisites
- You have enabled automatic upgrades for all the clusters.
-
You have
writepermission for theAdministrationresource.
Procedure
-
In the RHACS portal, click Platform Configuration
Clusters. - Select a cluster to view its details.
From the cluster details panel, select the link to Apply credentials by using an automatic upgrade.
NoteWhen you apply an automatic upgrade, Red Hat Advanced Cluster Security for Kubernetes (RHACS) creates new credentials in the selected cluster. However, you continue to see a notification. The notification disappears when each RHACS service uses the new credentials after the service restarts.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}