ocpbugs-8882: configure an additional clientca for the openshiftapi s… #66833
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@nalhadef: This pull request references ocpbugs-8882 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.15.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
size/S
|
🤖 Tue Jan 09 19:13:44 - Prow CI generated the docs preview: https://66833--ocpdocs-pr.netlify.app |
nalhadef
force-pushed
the
ocpbugs-8882
branch
from
3c868b9 to
28c4406
Compare
openshift-ci
bot
added
size/M
nalhadef
force-pushed
the
ocpbugs-8882
branch
2 times, most recently
from
c4f78a5 to
28b0e16
Compare
|
@jeana-redhat, I'll talk with the reporter about this. The bug was to add this material. If he's happy with it being an introduction, I'm happy to do it. Thanks. |
nalhadef
force-pushed
the
ocpbugs-8882
branch
from
28b0e16 to
d0c2488
Compare
| ---- | ||
|
|
||
| . Test the new clientCA certificate with a certificate signed from the new clientCA. | ||
| . If the test is successful, you can remove the installer-generated clientCA. |
There was a problem hiding this comment.
You are not explaining how to remove the installer-generated client CA yet you ask to remove it.
There was a problem hiding this comment.
I'd remove this reference from this section but add a new section that explains the removal, after this section, and that suggests that you should first add the new CA as per the section above before replacing.
Pietro may provide a better view on how it should exactly look like
There was a problem hiding this comment.
Thanks for the info, Pablo. Could you or Pietro send me the details on how to remove the installer-generated client CA?
There was a problem hiding this comment.
@nalhadef here is a bit confusing, this KCS explains the procedure: https://access.redhat.com/solutions/6054981
To give you more context:
- the installer-generate kubeconfig contains a client TLS certificate signed by a CA
- the CA signing the kubeconfig is stored into the configmap named
admin-kubeconfig-client-cainto theopenshift-confignamespace - in order to invalidate the installer-generated kubeconfig you have to replace the CA (thus the content of the configmap)
- replacing the CA can be dangerous because if you are using the installer-generated kubeconfig and the content of the CM is somehow invalid you can be locked out from the API
- for that reason in the KCS I suggest to:
- first add an additional CA
- generate a new kubeconfig using the new CA
- replace the original CA replacing the configmap.
There was a problem hiding this comment.
Incorporated KCS article content
|
I made two in-line comments. Please check them or let me know if you cannot see them |
nalhadef
force-pushed
the
ocpbugs-8882
branch
from
d0c2488 to
1198a74
Compare
nalhadef
force-pushed
the
ocpbugs-8882
branch
from
1198a74 to
1b238e2
Compare
|
Began incorporating content about removing installer-generated certificate. |
nalhadef
force-pushed
the
ocpbugs-8882
branch
from
1b238e2 to
bfc12cb
Compare
openshift-ci
bot
added
size/L
|
@palonsoro and @pbertera hi, Pablo and Pietro. I've incorporated the KCS article content into the documentation. Please let me know if it works for you. Thanks! |
|
@nalhadef process looks good to me, but QE should do a specific end-to-end test. Success criteria:
If any help is needed during QE testing, feel free to reach out, but we need thorough QE testing for this. |
|
Thanks, Pablo. QE is next.
…On Wed, Nov 15, 2023 at 4:28 AM Pablo Alonso Rodriguez < ***@***.***> wrote:
@nalhadef <https://github.com/nalhadef> process looks good to me, but QE
should do a specific end-to-end test.
Success criteria:
- Cluster *must* be accessible with a kubeconfig that has a client
certificate signed by the new CA.
- Cluster *must not* be accessible with the original installation
kubeconfig.
If any help is needed during QE testing, feel free to reach out, but we
need thorough QE testing for this.
—
Reply to this email directly, view it on GitHub
<#66833 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AT7EEZ7GC6LEVMG5UFDFRX3YESDM3AVCNFSM6AAAAAA6OCZ6PGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJSGA4TEMRUGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@xingxingxia Xia, I think you might be the QE for this features. Please do a QE test and, if accurate please add a LGTM label. Thanks!! |
|
Hello, Ke Wang. Can you please assign a member of your team to review and hopefully assign a LGTM to this PR. It's associated with OCPBUS-8882. Thanks. |
|
@nalhadef here is one doc https://access.redhat.com/solutions/6054981 for this section |
|
|
||
| An existing kubeconfig is replaced by adding a new kubeconfig and configuring the existing kubeconfig to be invalid. The existing kubeconfig remains in place, but is not used due to its invalidating configuration. The existing, now invalid, kubeconfig cannot be removed. | ||
|
|
||
| Optionally, you can replace the installer-generated kubeconfig. This process is also referred to as configuring the installer-generated kubceconfig to be invalid. |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'installation program' rather than 'the installer'. For more information, see RedHat.TermsErrors.
|
|
||
| An existing kubeconfig is replaced by adding a new kubeconfig and configuring the existing kubeconfig to be invalid. The existing kubeconfig remains in place, but is not used due to its invalidating configuration. The existing, now invalid, kubeconfig cannot be removed. | ||
|
|
||
| Optionally, you can replace the installer-generated kubeconfig. This process is also referred to as configuring the installer-generated kubceconfig to be invalid. |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'installation program' rather than 'the installer'. For more information, see RedHat.TermsErrors.
|
|
||
| .Procedure | ||
|
|
||
| To replace the installer-generated kubeconfig, remove the installer-generated clientCA from the API server: |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'installation program' rather than 'the installer'. For more information, see RedHat.TermsErrors.
|
|
||
| .Procedure | ||
|
|
||
| To replace the installer-generated kubeconfig, remove the installer-generated clientCA from the API server: |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'installation program' rather than 'the installer'. For more information, see RedHat.TermsErrors.
|
|
||
| To replace the installer-generated kubeconfig, remove the installer-generated clientCA from the API server: | ||
|
|
||
| . Use the following command to import an additional CA certificate in a configmap in the `openshift-config`` namespace. The CA file must be in PEM format. |
There was a problem hiding this comment.
🤖 [error] RedHat.CaseSensitiveTerms: Use 'config map' rather than 'configmap'. For more information, see RedHat.CaseSensitiveTerms.
| ---- | ||
|
|
||
| . Test the new clientCA certificate with a certificate signed from the new clientCA. | ||
| . If the test is successful, you can remove the installer-generated clientCA. |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'installation program' rather than 'the installer'. For more information, see RedHat.TermsErrors.
| :_content-type: PROCEDURE | ||
| [id="replace-the-certificate-authority_{context}"] | ||
|
|
||
| = Invalidating the installer-generated kubeconfig before replacing it with a newly generated CA certificate |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'installation program' rather than 'the installer'. For more information, see RedHat.TermsErrors.
|
|
||
| = Invalidating the installer-generated kubeconfig before replacing it with a newly generated CA certificate | ||
|
|
||
| The installer-generated kubeconfig cannot be removed, but it can be invalidated and replaced with a newly generated CA certificate. |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'installation program' rather than 'The installer'. For more information, see RedHat.TermsErrors.
|
|
||
| The installer-generated kubeconfig cannot be removed, but it can be invalidated and replaced with a newly generated CA certificate. | ||
|
|
||
| You can replace the installer-generated kubeconfig. You might do this if any of the following conditions exist: |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'installation program' rather than 'the installer'. For more information, see RedHat.TermsErrors.
| [role="_additional-resources"] | ||
| == Additional resources | ||
|
|
||
| * link:https://access.redhat.com/solutions/6054981[Replacing the certificate authority for the installer system:admin kubeconfig] |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'installation program' rather than 'the installer'. For more information, see RedHat.TermsErrors.
|
@nalhadef: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
openshift-ci
bot
removed
the
lifecycle/stale
|
The This is because your PR targets the If the update in your PR does NOT apply to version 4.18 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci
bot
added
lifecycle/rotten
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
The This is because your PR targets the If the update in your PR does NOT apply to version 4.19 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main. |
|
Closing in favor of #89427 |
ocpbugs-8882: Configure an additional clientCA for the OpenShift API server
4.11+
Issue:
https://issues.redhat.com/browse/OCPBUGS-8882
Link to docs preview (December 21, 2023):
https://66833--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/certificates/api-server
QE review: