Red Hat Summit3.2. Configuring custom certificate authorities
To configure externally generated certificates and domain names using custom certificate authorities (CAs), add them to the MicroShift /etc/microshift/config.yaml configuration file. You must also configure the host operating system trust root.
Externally generated kubeconfig files are created in the /var/lib/microshift/resources/kubeadmin/<hostname>/kubeconfig directory. If you need to use localhost in addition to externally generated configurations, retain the original kubeconfig file in its default location. The localhost kubeconfig file uses the self-signed certificate authority.
Prerequisites
-
The OpenShift CLI (
oc) is installed. - You have access to the cluster as a user with the cluster administration role.
- The certificate authority has issued the custom certificates.
-
A MicroShift
/etc/microshift/config.yamlconfiguration file exists.
Procedure
- Copy the custom certificates you want to add to the trust root of the MicroShift host. Ensure that the certificate and private keys are only accessible to MicroShift.
For each custom CA that you need, add an
apiServersection callednamedCertificatesto the/etc/microshift/config.yamlMicroShift configuration file by using the following example:apiServer: namedCertificates: - certPath: ~/certs/api_fqdn_1.crt1 keyPath: ~/certs/api_fqdn_1.key2 - certPath: ~/certs/api_fqdn_2.crt keyPath: ~/certs/api_fqdn_2.key names:3 - api_fqdn_1 - *.apps.external.comRestart the MicroShift to apply the certificates by running the following command:
$ systemctl microshift restart-
Wait a few minutes for the system to restart and apply the custom server. New
kubeconfigfiles are generated in the/var/lib/microshift/resources/kubeadmin/directory. -
Copy the
kubeconfigfiles to the client. If you specified wildcards for the IP address, update thekubeconfigto remove the public IP address of the server and replace that IP address with the specific wildcard range you want to use. From the client, use the following steps:
Specify the
kubeconfigto use by running the following command:$ export KUBECONFIG=~/custom-kubeconfigs/kubeconfig1 - 1
- Use the location of the copied
kubeconfigfile as the path.
Check that the certificates are applied by using the following command:
$ oc --certificate-authority ~/certs/ca.ca get nodeExample output
oc get node NAME STATUS ROLES AGE VERSION dhcp-1-235-195.arm.example.com Ready control-plane,master,worker 76m v1.29.2Add the new CA file to the $KUBECONFIG environment variable by running the following command:
$ oc config set clusters.microshift.certificate-authority /tmp/certificate-authority-data-new.crtVerify that the new
kubeconfigfile contains the new CA by running the following command:$ oc config view --flattenExample externally generated
kubeconfigfileapiVersion: v1 clusters: - cluster: certificate-authority: /tmp/certificate-authority-data-new.crt1 server: https://api.ci-ln-k0gim2b-76ef8.aws-2.ci.openshift.org:6443 name: ci-ln-k0gim2b-76ef8 contexts: - context: cluster: ci-ln-k0gim2b-76ef8 user: name: current-context: kind: Config preferences: {}- 1
- The
certificate-authority-datasection is not present in externally generatedkubeconfigfiles. It is added with theoc config setcommand used previously.
Verify the
subjectandissuerof your customized API server certificate authority by running the following command:$ curl --cacert /tmp/caCert.pem https://${fqdn_name}:6443/healthz -vExample output
Server certificate: subject: CN=kas-test-cert_server start date: Mar 12 11:39:46 2024 GMT expire date: Mar 12 11:39:46 2025 GMT subjectAltName: host "dhcp-1-235-3.arm.eng.rdu2.redhat.com" matched cert's "dhcp-1-235-3.arm.eng.rdu2.redhat.com" issuer: CN=kas-test-cert_ca SSL certificate verify ok.重要Either replace the
certificate-authority-datain the generatedkubeconfigfile with the newrootCAor add thecertificate-authority-datato the trust root of the operating system. Do not use both methods.Configure additional CAs in the trust root of the operating system. For example, in the RHEL Client truststore on the client system. See The system-wide truststore for details.
- Updating the certificate bundle with the configuration that contains the CA is recommended.
-
If you do not want to configure your certificate bundles, you can alternately use the
oc login localhost:8443 --certificate-authority=/path/to/cert.crtcommand, but this method is not preferred.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}