红帽全球峰会第 1 章 Adding custom certificates
Learn how to use a custom TLS certificate with Red Hat Advanced Cluster Security for Kubernetes. After you set up a certificate, users and API clients do not have to bypass the certificate security warnings when connecting to Central.
1.1. Adding a custom security certificate
You can apply a security certificate during the installation or on an existing Red Hat Advanced Cluster Security for Kubernetes deployment.
1.1.1. Prerequisites for adding custom certificates
Prerequisites
- You must already have PEM-encoded private key and certificate files.
The certificate file should begin and end with human-readable blocks. For example:
-----BEGIN CERTIFICATE----- MIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G ... l4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo= -----END CERTIFICATE-----The certificate file can contain either a single (leaf) certificate, or a certificate chain.
警告- If the certificate is not directly signed by a trusted root, you must provide the full certificate chain, including any intermediate certificates.
- All certificates in the chain must be in order so that the leaf certificate is the first and the root certificate is the last in the chain.
- If you are using a custom certificate that is not globally trusted, you must also configure the Sensor to trust your custom certificate.
Procedure
If you are installing Red Hat Advanced Cluster Security for Kubernetes using the Operator:
Create a
central-default-tls-certsecret that contains the appropriate TLS certificates in the namespace where the Central service will be installed by entering the following command:oc -n <namespace> create secret tls central-default-tls-cert --cert <tls-cert.pem> --key <tls-key.pem>
If you are installing Red Hat Advanced Cluster Security for Kubernetes using Helm:
Add your custom certificate and its key in the
values-private.yamlfile:central: # Configure a default TLS certificate (public cert + private key) for central defaultTLS: cert: | -----BEGIN CERTIFICATE----- EXAMPLE!MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G ... -----END CERTIFICATE----- key: | -----BEGIN EC PRIVATE KEY----- EXAMPLE!MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo= ... -----END EC PRIVATE KEY-----Provide the configuration file during the installation:
$ helm install -n stackrox --create-namespace stackrox-central-services rhacs/central-services -f values-private.yaml
If you are installing Red Hat Advanced Cluster Security for Kubernetes using the
roxctlCLI, provide the certificate and key files when you run the installer:For the non-interactive installer, use the
--default-tls-certand--default-tls-keyoptions:$ roxctl central generate --default-tls-cert "cert.pem" --default-tls-key "key.pem"For the interactive installer, provide the certificate and key files when you enter answers for the prompts:
... Enter PEM cert bundle file (optional): <cert.pem> Enter PEM private key file (optional): <key.pem> Enter administrator password (default: autogenerated): Enter orchestrator (k8s, openshift): openshift ...
Procedure
If you have installed Red Hat Advanced Cluster Security for Kubernetes using the Operator:
Create a
central-default-tls-certsecret that contains the appropriate TLS certificates in the namespace where the Central service is installed by entering the following command:oc -n <namespace> create secret tls central-default-tls-cert --cert <tls-cert.pem> --key <tls-key.pem>
If you have installed Red Hat Advanced Cluster Security for Kubernetes using Helm:
Add your custom certificate and its key in the
values-private.yamlfile:central: # Configure a default TLS certificate (public cert + private key) for central defaultTLS: cert: | -----BEGIN CERTIFICATE----- EXAMPLE!MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G ... -----END CERTIFICATE----- key: | -----BEGIN EC PRIVATE KEY----- EXAMPLE!MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo= ... -----END EC PRIVATE KEY-----Use the
helm upgradecommand and provide the updated configuration file:$ helm upgrade -n stackrox --create-namespace stackrox-central-services \ rhacs/central-services --reuse-values \ -f values-private.yamlwhere:
--reuse-values-
Specifies that the upgrade will reuse existing values. You must use this parameter because the
values-private.yamlfile does not contain all of the required configuration values.
If you have installed Red Hat Advanced Cluster Security for Kubernetes using the
roxctlCLI:Create and apply a TLS secret from the PEM-encoded key and certificate files:
$ oc -n stackrox create secret tls central-default-tls-cert \ --cert <server_cert.pem> \ --key <server_key.pem> \ --dry-run -o yaml | oc apply -f -After you run this command, Central automatically applies the new key and certificate without requiring the pod to be restarted. It might take up to a minute to propagate the changes.
If you use a custom certificate for Central, you can update the certificate by performing the following procedure.
Procedure
Delete the existing custom certificate’s secret:
$ oc delete secret central-default-tls-certCreate a new secret:
$ oc -n stackrox create secret tls central-default-tls-cert \ --cert <server_cert.pem> \ --key <server_key.pem> \ --dry-run -o yaml | oc apply -f -- Restart the Central container.
1.1.4.1. Restarting the Central container
You can restart the Central container by deleting the Central pod.
If you use Kubernetes, enter kubectl instead of oc.
Procedure
To delete the Central pod, run the following command:
$ oc -n stackrox delete pod -lapp=central
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}