Skip to content

Files

Latest commit

 

History

History
239 lines (207 loc) · 8.04 KB

creating-custom-ssl-certs-config-bundle.adoc

File metadata and controls

239 lines (207 loc) · 8.04 KB

Creating a custom SSL/TLS configBundleSecret resource

After creating your custom SSL/TLS certificates, you can create a custom configBundleSecret resource for {productname-ocp}, which allows you to upload ssl.cert and ssl.key files.

Prerequisites

  • You have base64 decoded the original config bundle into a config.yaml file. For more information, see Downloading the existing configuration.

  • You have generated custom SSL certificates and keys.

Procedure

  1. Create a new YAML file, for example, custom-ssl-config-bundle-secret.yaml:

    $ touch custom-ssl-config-bundle-secret.yaml

  2. Create the custom-ssl-config-bundle-secret resource.

    1. Create the resource by entering the following command:

      $ oc -n <namespace> create secret generic custom-ssl-config-bundle-secret \
  --from-file=config.yaml=</path/to/config.yaml> \ (1)
  --from-file=ssl.cert=</path/to/ssl.cert> \ (2)
  --from-file=extra_ca_cert_<name-of-certificate>.crt=ca-certificate-bundle.crt
 \ (3)
  --from-file=ssl.key=</path/to/ssl.key> \ (4)
  --dry-run=client -o yaml > custom-ssl-config-bundle-secret.yaml

      1. Where <config.yaml> is your base64 decoded config.yaml file.

      2. Where <ssl.cert> is your ssl.cert file.

      3. Optional. The --from-file=extra_ca_cert_<name-of-certificate>.crt=ca-certificate-bundle.crt field allows {productname} to recognize custom Certificate Authority (CA) files. If you are using LDAP, OIDC, or another service that uses custom CAs, you must add them via the extra_ca_cert path. For more information, see "Adding additional Certificate Authorities to {productname-ocp}."

      4. Where <ssl.key> is your ssl.key file.

  3. Optional. You can check the content of the custom-ssl-config-bundle-secret.yaml file by entering the following command:

    $ cat custom-ssl-config-bundle-secret.yaml
    Example output
    apiVersion: v1
data:
  config.yaml: QUxMT1dfUFVMTFNfV0lUSE9VVF9TVFJJQ1RfTE9HR0lORzogZmFsc2UKQVVUSEVOVElDQVRJT05fVFlQRTogRGF0YWJhc2UKREVGQVVMVF9UQUdfRVhQSVJBVElPTjogMncKRElTVFJJQlVURURfU1R...
  ssl.cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVYakNDQTBhZ0F3SUJBZ0lVTUFBRk1YVWlWVHNoMGxNTWI3U1l0eFV5eTJjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZZ3hDekFKQmdOVkJBWVR...
  extra_ca_cert_<name-of-certificate>:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVYakNDQTBhZ0F3SUJBZ0lVTUFBRk1YVWlWVHNoMGxNTWI3U1l0eFV5eTJjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZZ3hDe...
  ssl.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2c0VWxZOVV1SVJPY1oKcFhpZk9MVEdqaS9neUxQMlpiMXQ...
kind: Secret
metadata:
  creationTimestamp: null
  name: custom-ssl-config-bundle-secret
  namespace: <namespace>

  4. Create the configBundleSecret resource by entering the following command:

    $ oc create -n <namespace> -f custom-ssl-config-bundle-secret.yaml
    Example output
    secret/custom-ssl-config-bundle-secret created

  5. Update the QuayRegistry YAML file to reference the custom-ssl-config-bundle-secret object by entering the following command:

    $ oc patch quayregistry <registry_name> -n <namespace> --type=merge -p '{"spec":{"configBundleSecret":"custom-ssl-config-bundle-secret"}}'
    Example output
    quayregistry.quay.redhat.com/example-registry patched

  6. Set the tls component of the QuayRegistry YAML to false by entering the following command:

    $ oc patch quayregistry <registry_name> -n <namespace> --type=merge -p '{"spec":{"components":[{"kind":"tls","managed":false}]}}'
    Example output
    quayregistry.quay.redhat.com/example-registry patched

  7. Ensure that your QuayRegistry YAML file has been updated to use the custom SSL configBundleSecret resource, and that your and tls resource is set to false by entering the following command:

    $ oc get quayregistry <registry_name> -n <namespace> -o yaml
    Example output
    # ...
  configBundleSecret: custom-ssl-config-bundle-secret
# ...
spec:
  components:
  - kind: tls
    managed: false
# ...
Verification

  • Confirm a TLS connection to the server and port by entering the following command:

    $  openssl s_client -connect <quay-server.example.com>:443
    Example output
    # ...
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0E995850DC3A8EB1A838E2FF06CE56DBA81BD8443E7FA05895FBD6FBDE9FE737
    Session-ID-ctx:
    Resumption PSK: 1EA68F33C65A0F0FA2655BF9C1FE906152C6E3FEEE3AEB6B1B99BA7C41F06077989352C58E07CD2FBDC363FA8A542975
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)

# ...