Chapter 8. Creating sites using a custom certificate authority on OpenShift
By default, Application Interconnect creates certificates to establish links between sites using mutual TLS. These certificates are stored as secrets in the namespace when you create a site using skupper init. If you want to use your own certificates, you can populate the a set of secrets with the appropriate certificates before creating the site as described in this section. This set of secrets provides Application Interconnect with the configuration required to create a site.
The following certificates are required:
- skupper-claims-server
- Used for linking sites with claim type tokens.
- skupper-console-certs
- Used by the Skupper console.
- skupper-local-client and skupper-local-server
- Used by the Skupper router.
- skupper-site-server
- Used for all inter-router connections, and for headless services.
- skupper-service-client
- Used for services exposed over TLS.
Prerequisites
-
Access to an OpenShift cluster with sufficient permission to run
skupper init. - Access to create certificates using your certificate authority.
Procedure
Create one or more certificates for a site.
There are several alternative approaches to this step:
- Reissue an existing certificate with a set of Subject Alternative Names (SANs) for the site.
- Create a new certificate with a set of SANs for the site.
- Create a new certificate for each item relating to the site.
You require a certificate for each of the following secrets:
-
skupper.<namespace> -
skupper-router.<namespace> -
skupper-router-local -
skupper-router-local.<namespace>.svc.cluster.local -
claims-<namespace>.<clustername>.<domain> -
skupper-<namespace>.<clustername>.<domain> -
skupper-edge-<namespace>.<clustername>.<domain> -
skupper-inter-router-<namespace>.<clustername>.<domain>
where:
-
<namespace>is the name of the namespace where you want to create a site. -
<clustername>is the name of the cluster. -
<domain>is the domain name for the cluster.
Using a specific certificate authority technology is beyond the scope of this guide. However, the following commands show how to create a certificate authority on Linux and create a single certificate that you can use to populate the secrets.
Create a
cadirectory and create a certificate authority certificate:$ mkdir ca $ cd ca $ ssh-keygen -t rsa -m PEM -f tls.key -q -N "" $ openssl req -x509 -nodes -days 365 -key tls.key -out tls.crt
Given the certificate authority created
tls.crtandtls.keyfiles, you can create a certificate for the site as follows:$ cd .. $ mkdir certificate $ cd certificate $ openssl req -nodes -newkey rsa:4096 -x509 -CA ../ca/tls.crt -CAkey ../ca/tls.key -out tls.crt -keyout tls.key -addext "subjectAltName = DNS:skupper.<namespace>, DNS:skupper-router.<namespace>, DNS:skupper-router-local, DNS:skupper-router-local.<namespace>.svc.cluster.local,DNS:claims-<namespace>.<clustername>.<domain>, DNS:skupper-<namespace>.<clustername>.<domain>, DNS:skupper-edge-<namespace>.<clustername>.<domain>, DNS:skupper-inter-router-<namespace>.<clustername>.<domain>"
You should now have a root certificate in the
cadirectory and another certificate in thecertificatedirectory that you can use with a site.Create secrets for the site
Change to the parent directory of the
certificatedirectory:$ cd ..
Populate the
carelated secrets using the certificate from thecadirectory:$ kubectl create secret tls skupper-site-ca --cert=ca/tls.crt --key=ca/tls.key $ kubectl create secret tls skupper-service-ca --cert=ca/tls.crt --key=ca/tls.key $ kubectl create secret tls skupper-local-ca --cert=ca/tls.crt --key=ca/tls.key
Populate the other secrets and modify them into the format required by
skupper:$ kubectl create secret tls skupper-claims-server --cert=certificate/tls.crt --key=certificate/tls.key $ kubectl patch secret skupper-claims-server -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-site-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}" $ kubectl create secret tls skupper-console-certs --cert=certificate/tls.crt --key=certificate/tls.key $ kubectl patch secret skupper-console-certs -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-local-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}" $ kubectl create secret tls skupper-local-client --cert=certificate/tls.crt --key=certificate/tls.key $ kubectl patch secret skupper-local-client -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-local-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}" $ kubectl create secret tls skupper-local-server --cert=certificate/tls.crt --key=certificate/tls.key $ kubectl patch secret skupper-local-server -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-local-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}" $ kubectl create secret tls skupper-site-server --cert=certificate/tls.crt --key=certificate/tls.key $ kubectl patch secret skupper-site-server -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-site-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}" $ kubectl create secret tls skupper-service-client --cert=certificate/tls.crt --key=certificate/tls.key $ kubectl patch secret skupper-service-client -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-service-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"
Create the site using the following command:
$ skupper init
On OpenShift,
skupperdefaults to use therouteingress, which is the equivalent ofskupper init --ingress route.To verify your site, check the status:
$ skupper status
You can also verify the OpenShift routes are created using:
$ oc get routes
Finally, use the following command to check for errors relating to incorrect certificates:
$ skupper debug events
Revised on 2022-10-19 18:01:27 UTC