From 0a0a012ec50ff0e5b87256825ae2a8fc7adf125f Mon Sep 17 00:00:00 2001 From: Stone Date: Fri, 19 Mar 2021 16:28:55 -0400 Subject: [PATCH] Local certificate appendix Adding "Locally create certificates" appendix Signed-off-by: Stone Change-Id: I4f5446a7015884a3d0eee6182dceaef71c64e97f --- ...y-using-cert-manager-on-the-controller.rst | 108 ++++++++++++++++++ ...ing-certificates-locally-using-openssl.rst | 64 +++++++++++ doc/source/security/kubernetes/index.rst | 18 ++- 3 files changed, 186 insertions(+), 4 deletions(-) create mode 100644 doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst create mode 100644 doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst diff --git a/doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst b/doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst new file mode 100644 index 000000000..fc3c600a6 --- /dev/null +++ b/doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst @@ -0,0 +1,108 @@ + +.. qtr1594910639395 +.. _creating-certificates-locally-using-cert-manager-on-the-controller: + +================================================================ +Create Certificates Locally using cert-manager on the Controller +================================================================ + +You can use :command:`cert-manager` to locally create certificates suitable for +use in a lab environment. + +.. rubric:: |proc| + +#. Create a Root |CA| Certificate and Key. + + #. Create a self-signing issuer. + + .. code-block:: none + + $ echo " + apiVersion: cert-manager.io/v1alpha2 + kind: Issuer + metadata: + name: my-selfsigning-issuer + spec: + selfSigned: {} + " | kubectl apply -f - + + #. Create a Root |CA| certificate and key. + + .. code-block:: none + + $ echo " + apiVersion: cert-manager.io/v1alpha2 + kind: Certificate + metadata: + name: my-rootca-certificate + spec: + secretName: my-rootca-certificate + commonName: "my-rootca" + isCA: true + issuerRef: + name: my-selfsigning-issuer + kind: Issuer + " | kubectl apply -f - + + #. Create a Root |CA| Issuer. + + .. code-block:: none + + $ echo " + apiVersion: cert-manager.io/v1alpha2 + kind: Issuer + metadata: + name: my-rootca-issuer + spec: + ca: + secretName: my-rootca-certificate + " | kubectl apply -f - + + + #. Create files for the Root |CA| certificate and key. + + .. code-block:: none + + $ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem + $ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem + + +#. Create and sign a Server certificate and key + + #. Create the Server certificate and key. + + .. code-block:: none + + $ echo " + apiVersion: cert-manager.io/v1alpha2 + kind: Certificate + metadata: + name: my-server-certificate + spec: + secretName: my-server-certificate + duration: 2160h # 90d + renewBefore: 360h # 15d + organization: + - WindRiver + commonName: 1.1.1.1 + dnsNames: + - myserver.wrs.com + ipAddresses: + - 1.1.1.1 + issuerRef: + name: my-rootca-issuer + kind: Issuer + " | kubectl apply -f - + + #. Create the |PEM| files for Server certificate and key. + + .. code-block:: none + + $ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem + $ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem + + #. Combine the server certificate and key in a single file. + + .. code-block:: none + + $ cat my-server-cert.pem my-server-key.pem > my-server.pem diff --git a/doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst b/doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst new file mode 100644 index 000000000..bf8ec5c27 --- /dev/null +++ b/doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst @@ -0,0 +1,64 @@ + +.. rmn1594906401238 +.. _creating-certificates-locally-using-openssl: + +========================================= +Create Certificates Locally using openssl +========================================= + +You can use :command:`openssl` to locally create certificates suitable for use +in a lab environment. + +.. rubric:: |proc| + +.. _creating-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb: + +#. Create a Root |CA| Certificate and Key + + #. Create the Root |CA| private key. + + .. code-block:: none + + $ openssl genrsa -out my-root-ca-key.pem 2048 + + #. Generate the Root |CA| x509 certificate. + + .. code-block:: none + + $ openssl req -x509 -new -nodes -key my-root-ca-key.pem -days 1024 -out my-root-ca-cert.pem -outform PEM + + +#. Create and sign a server certificate and key. + + #. Create the server private key. + + .. code-block:: none + + $ openssl genrsa -out my-server-key.pem 2048 + + #. Create the Server certificate signing request \(csr\). + + Specify CN= and do **not** specify a challenge + password. + + .. code-block:: none + + $ openssl req -new -key my-server-key.pem -out my-server.csr + + #. Create the |SANs| list. + + .. code-block:: none + + $ echo subjectAltName = IP:,DNS:registry.local,DNS:registry.central > extfile.cnf + + #. Use the my-root-ca to sign the server certificate. + + .. code-block:: none + + $ openssl x509 -req -in my-server.csr -CA my-root-ca-cert.pem -CAkey my-root-ca-key.pem -CAcreateserial -out my-server-cert.pem -days 365 -extfile extfile.cnf + + #. Put the server certificate and key in a single file. + + .. code-block:: none + + $ cat my-server-cert.pem my-server-key.pem > my-server.pem diff --git a/doc/source/security/kubernetes/index.rst b/doc/source/security/kubernetes/index.rst index 5dbcaab3f..5b1a8914c 100644 --- a/doc/source/security/kubernetes/index.rst +++ b/doc/source/security/kubernetes/index.rst @@ -310,11 +310,21 @@ Security Features security-hardening-firewall-options isolate-starlingx-internal-cloud-management-network -******** -Appendix -******** +********************************************************* +Appendix: Certificate management for admin REST endpoints +********************************************************* .. toctree:: :maxdepth: 1 - certificate_management_for_admin_rest_api_endpoints \ No newline at end of file + certificate_management_for_admin_rest_api_endpoints + +*************************************** +Appendix: Locally creating certifciates +*************************************** + +.. toctree:: + :maxdepth: 1 + + creating-certificates-locally-using-cert-manager-on-the-controller + creating-certificates-locally-using-openssl \ No newline at end of file