Chapter 8. Creating sites using a custom certificate authority on OpenShift

By default, Application Interconnect creates certificates to establish links between sites using mutual TLS. These certificates are stored as secrets in the namespace when you create a site using skupper init. If you want to use your own certificates, you can populate the a set of secrets with the appropriate certificates before creating the site as described in this section. This set of secrets provides Application Interconnect with the configuration required to create a site.

The following certificates are required:

skupper-claims-server
Used for linking sites with claim type tokens.
skupper-console-certs
Used by the Skupper console.
skupper-local-client and skupper-local-server
Used by the Skupper router.
skupper-site-server
Used for all inter-router connections, and for headless services.
skupper-service-client
Used for services exposed over TLS.

Prerequisites

  • Access to an OpenShift cluster with sufficient permission to run skupper init.
  • Access to create certificates using your certificate authority.

Procedure

  1. Create one or more certificates for a site.

    There are several alternative approaches to this step:

    • Reissue an existing certificate with a set of Subject Alternative Names (SANs) for the site.
    • Create a new certificate with a set of SANs for the site.
    • Create a new certificate for each item relating to the site.

    You require a certificate for each of the following secrets:

    • skupper.<namespace>
    • skupper-router.<namespace>
    • skupper-router-local
    • skupper-router-local.<namespace>.svc.cluster.local
    • claims-<namespace>.<clustername>.<domain>
    • skupper-<namespace>.<clustername>.<domain>
    • skupper-edge-<namespace>.<clustername>.<domain>
    • skupper-inter-router-<namespace>.<clustername>.<domain>

    where:

    • <namespace> is the name of the namespace where you want to create a site.
    • <clustername> is the name of the cluster.
    • <domain> is the domain name for the cluster.

    Using a specific certificate authority technology is beyond the scope of this guide. However, the following commands show how to create a certificate authority on Linux and create a single certificate that you can use to populate the secrets.

    1. Create a ca directory and create a certificate authority certificate:

      $ mkdir ca
      
      $ cd ca
      
      $ ssh-keygen -t rsa -m PEM -f tls.key -q -N ""
      $ openssl req -x509 -nodes -days 365 -key tls.key -out tls.crt
    2. Given the certificate authority created tls.crt and tls.key files, you can create a certificate for the site as follows:

      $ cd ..
      $ mkdir certificate
      $ cd certificate
      
      $ openssl req -nodes -newkey rsa:4096 -x509 -CA ../ca/tls.crt -CAkey ../ca/tls.key -out tls.crt -keyout tls.key -addext "subjectAltName = DNS:skupper.<namespace>, DNS:skupper-router.<namespace>, DNS:skupper-router-local, DNS:skupper-router-local.<namespace>.svc.cluster.local,DNS:claims-<namespace>.<clustername>.<domain>, DNS:skupper-<namespace>.<clustername>.<domain>, DNS:skupper-edge-<namespace>.<clustername>.<domain>, DNS:skupper-inter-router-<namespace>.<clustername>.<domain>"

    You should now have a root certificate in the ca directory and another certificate in the certificate directory that you can use with a site.

  2. Create secrets for the site

    1. Change to the parent directory of the certificate directory:

      $ cd ..
    2. Populate the ca related secrets using the certificate from the ca directory:

      $ kubectl create secret tls skupper-site-ca --cert=ca/tls.crt --key=ca/tls.key
      
      $ kubectl create secret tls skupper-service-ca --cert=ca/tls.crt --key=ca/tls.key
      
      $ kubectl create secret tls skupper-local-ca --cert=ca/tls.crt --key=ca/tls.key
    3. Populate the other secrets and modify them into the format required by skupper:

      $ kubectl create secret tls skupper-claims-server --cert=certificate/tls.crt --key=certificate/tls.key
      
      $ kubectl patch secret skupper-claims-server  -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-site-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"
      
      
      $ kubectl create secret tls skupper-console-certs --cert=certificate/tls.crt --key=certificate/tls.key
      
      $ kubectl patch secret skupper-console-certs  -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-local-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"
      
      
      $ kubectl create secret tls skupper-local-client --cert=certificate/tls.crt --key=certificate/tls.key
      
      $ kubectl patch secret skupper-local-client  -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-local-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"
      
      
      $ kubectl create secret tls skupper-local-server --cert=certificate/tls.crt --key=certificate/tls.key
      
      $ kubectl patch secret skupper-local-server  -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-local-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"
      
      
      $ kubectl create secret tls skupper-site-server --cert=certificate/tls.crt --key=certificate/tls.key
      
      $ kubectl patch secret skupper-site-server  -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-site-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"
      
      
      $ kubectl create secret tls skupper-service-client --cert=certificate/tls.crt --key=certificate/tls.key
      
      $ kubectl patch secret skupper-service-client  -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-service-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"
  3. Create the site using the following command:

    $ skupper init

    On OpenShift, skupper defaults to use the route ingress, which is the equivalent of skupper init --ingress route.

    To verify your site, check the status:

    $ skupper status

    You can also verify the OpenShift routes are created using:

    $ oc get routes

    Finally, use the following command to check for errors relating to incorrect certificates:

    $ skupper debug events

Revised on 2022-10-19 18:01:27 UTC