Local certificate appendix

Adding "Locally create certificates" appendix Signed-off-by: Stone <ronald.stone@windriver.com> Change-Id: I4f5446a7015884a3d0eee6182dceaef71c64e97f
2021-03-19 16:28:55 -04:00 · 2021-03-19 16:28:55 -04:00 · 0a0a012ec5
commit 0a0a012ec5
parent dcd3a8b8cc
3 changed files with 186 additions and 4 deletions
--- a/doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst
+++ b/doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst
@ -0,0 +1,108 @@
+
+.. qtr1594910639395
+.. _creating-certificates-locally-using-cert-manager-on-the-controller:
+
+================================================================
+Create Certificates Locally using cert-manager on the Controller
+================================================================
+
+You can use :command:`cert-manager` to locally create certificates suitable for
+use in a lab environment.
+
+.. rubric:: |proc|
+
+#.  Create a Root |CA| Certificate and Key.
+
+    #.  Create a self-signing issuer.
+
+        .. code-block:: none
+
+            $ echo "
+            apiVersion: cert-manager.io/v1alpha2
+            kind: Issuer
+            metadata:
+              name: my-selfsigning-issuer
+            spec:
+              selfSigned: {}
+            " | kubectl apply -f -
+
+    #.  Create a Root |CA| certificate and key.
+
+        .. code-block:: none
+
+            $ echo "
+            apiVersion: cert-manager.io/v1alpha2
+            kind: Certificate
+            metadata:
+              name: my-rootca-certificate
+            spec:
+              secretName: my-rootca-certificate
+              commonName: "my-rootca"
+              isCA: true
+              issuerRef:
+                name: my-selfsigning-issuer
+                kind: Issuer
+            " | kubectl apply -f -
+
+    #.  Create a Root |CA| Issuer.
+
+        .. code-block:: none
+
+            $ echo "
+            apiVersion: cert-manager.io/v1alpha2
+            kind: Issuer
+            metadata:
+              name: my-rootca-issuer
+            spec:
+              ca:
+                secretName: my-rootca-certificate
+            " | kubectl apply -f -
+
+
+    #.  Create files for the Root |CA| certificate and key.
+
+        .. code-block:: none
+
+            $ kubectl get secret my-rootca-certificate -o yaml | egrep "^  tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem
+            $ kubectl get secret my-rootca-certificate -o yaml | egrep "^  tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem
+
+
+#.  Create and sign a Server certificate and key
+
+    #.  Create the Server certificate and key.
+
+        .. code-block:: none
+
+            $ echo "
+            apiVersion: cert-manager.io/v1alpha2
+            kind: Certificate
+            metadata:
+              name: my-server-certificate
+            spec:
+              secretName: my-server-certificate
+              duration: 2160h # 90d
+              renewBefore: 360h # 15d
+              organization:
+              - WindRiver
+              commonName: 1.1.1.1
+              dnsNames:
+              - myserver.wrs.com
+              ipAddresses:
+              - 1.1.1.1
+              issuerRef:
+                name: my-rootca-issuer
+                kind: Issuer
+            " | kubectl apply -f -
+
+    #.  Create the |PEM| files for Server certificate and key.
+
+        .. code-block:: none
+
+            $ kubectl get secret my-server-certificate -o yaml | egrep "^  tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem
+            $ kubectl get secret my-server-certificate -o yaml | egrep "^  tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem
+
+    #.  Combine the server certificate and key in a single file.
+
+        .. code-block:: none
+
+            $ cat my-server-cert.pem my-server-key.pem > my-server.pem
--- a/doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst
+++ b/doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst
@ -0,0 +1,64 @@
+
+.. rmn1594906401238
+.. _creating-certificates-locally-using-openssl:
+
+=========================================
+Create Certificates Locally using openssl
+=========================================
+
+You can use :command:`openssl` to locally create certificates suitable for use
+in a lab environment.
+
+.. rubric:: |proc|
+
+.. _creating-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb:
+
+#.  Create a Root |CA| Certificate and Key
+
+    #.  Create the Root |CA| private key.
+
+        .. code-block:: none
+
+            $ openssl genrsa -out my-root-ca-key.pem 2048
+
+    #.  Generate the Root |CA| x509 certificate.
+
+        .. code-block:: none
+
+            $ openssl req -x509 -new -nodes -key my-root-ca-key.pem -days 1024 -out my-root-ca-cert.pem -outform PEM
+
+
+#.  Create and sign a server certificate and key.
+
+    #.  Create the server private key.
+
+        .. code-block:: none
+
+            $ openssl genrsa -out my-server-key.pem 2048
+
+    #.  Create the Server certificate signing request \(csr\).
+
+        Specify CN=<WRCP-OAM-Floating-IP> and do **not** specify a challenge
+        password.
+
+        .. code-block:: none
+
+            $ openssl req -new -key my-server-key.pem -out my-server.csr
+
+    #.  Create the |SANs| list.
+
+        .. code-block:: none
+
+            $ echo subjectAltName = IP:<WRCP-OAM-Floating-IP>,DNS:registry.local,DNS:registry.central > extfile.cnf
+
+    #.  Use the my-root-ca to sign the server certificate.
+
+        .. code-block:: none
+
+            $ openssl x509 -req -in my-server.csr -CA my-root-ca-cert.pem -CAkey my-root-ca-key.pem -CAcreateserial -out my-server-cert.pem -days 365 -extfile extfile.cnf
+
+    #.  Put the server certificate and key in a single file.
+
+        .. code-block:: none
+
+            $ cat my-server-cert.pem my-server-key.pem > my-server.pem
--- a/doc/source/security/kubernetes/index.rst
+++ b/doc/source/security/kubernetes/index.rst
@ -310,11 +310,21 @@ Security Features
   security-hardening-firewall-options
   isolate-starlingx-internal-cloud-management-network

-********
-Appendix
-********
+*********************************************************
+Appendix: Certificate management for admin REST endpoints
+*********************************************************

 .. toctree::
   :maxdepth: 1

-   certificate_management_for_admin_rest_api_endpoints
+   certificate_management_for_admin_rest_api_endpoints
+   
+***************************************
+Appendix: Locally creating certifciates 
+***************************************
+
+.. toctree::
+   :maxdepth: 1
+   
+   creating-certificates-locally-using-cert-manager-on-the-controller
+   creating-certificates-locally-using-openssl