Trust Custom Certificate Authority (CA)¶
This guide describes how you can specify one or more trusted certificate authorities (CA) that Rok or Rok Registry will use when making egress connections. This is required to allow Rok or Rok Registry to connect securely with services that use certificates that are signed by an unknown authority.
Overview
What You’ll Need¶
Choose one of the following options, based on your deployment:
- A certificate authority (CA) bundle.
- A configured management environment.
- An existing Rok deployment.
- A certificate authority (CA) bundle.
- A configured management environment.
- An existing Rok Registry deployment
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsObtain the certificate authority (CA) bundle of your choice and copy it to your clipboard. For example, a CA bundle might look like this:
-----BEGIN CERTIFICATE----- MIIDyjCCArKgAwIBAgIQKX7Wxtqubey4K/qRvAFCETANBgkqhkiG9w0BAQsFADBM MRUwEwYDVQQKEwxjZXJ0LW1hbmFnZXIxMzAxBgNVBAMTKmE0OTI0ODE5MzU5MjM0 ... -----END CERTIFICATE-----Configure the
cacerts
Kustomize component that helps you specify the certificate authority (CA) bundle to trust. Choose one of the following options, based on your deployment:Edit
rok/rok-cluster/components/cacerts/cacerts
and paste the contents of your certificate authority (CA) bundle. For example, the final result should look like this:root@rok-tools:~/ops/deployments# cat rok/rok-cluster/components/cacerts/cacerts -----BEGIN CERTIFICATE----- MIIDyjCCArKgAwIBAgIQKX7Wxtqubey4K/qRvAFCETANBgkqhkiG9w0BAQsFADBM MRUwEwYDVQQKEwxjZXJ0LW1hbmFnZXIxMzAxBgNVBAMTKmE0OTI0ODE5MzU5MjM0 ... -----END CERTIFICATE-----Enable the
cacerts
Kustomize component for your Rok cluster if it is not already enabled. Make sure thatrok/rok-cluster/overlays/deploy/kustomization.yaml
contains the following lines:components: - ../../components/cacerts
Edit
rok/rok-registry-cluster/components/cacerts/cacerts
and paste the contents of your certificate authority (CA) bundle. For example, the final result should look like this:root@rok-tools:~/ops/deployments# cat rok/rok-registry-cluster/components/cacerts/cacerts -----BEGIN CERTIFICATE----- MIIDyjCCArKgAwIBAgIQKX7Wxtqubey4K/qRvAFCETANBgkqhkiG9w0BAQsFADBM MRUwEwYDVQQKEwxjZXJ0LW1hbmFnZXIxMzAxBgNVBAMTKmE0OTI0ODE5MzU5MjM0 ... -----END CERTIFICATE-----Enable the
cacerts
Kustomize component for your Rok Registry cluster if it is not already enabled. Make sure thatrok/rok-registry-cluster/overlays/deploy/kustomization.yaml
contains the following lines:components: - ../../components/cacerts
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Trust custom CA bundle"Apply the kustomization. Choose one of the following options, based on your deployment.
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-cluster/overlays/deployroot@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-registry-cluster/overlays/deploy
Verify¶
Assuming you have exposed your EKF deployment with a certificate signed by your custom CA, follow the steps below to verify that this CA is considered as trusted.
Specify the endpoint of an HTTPS service that uses a certificate signed by your custom CA:
root@rok-tools:~/ops/deploymnets# export ENDPOINT=<ENDPOINT>Replace
<ENDPOINT>
with the endpoint of your HTTPS service. For example:root@rok-tools:~/ops/deploymnets# export ENDPOINT=https://arrikto-cluster.apps.example.com/registry/Exec into the Pod and try to access your Dashboard. Choose one of the following options, based on your deployment.
root@rok-tools:~/ops/deployments# kubectl exec -ti -n rok svc/rok -- \ > curl --connect-timeout 5 ${ENDPOINT?} -I HTTP/2 302 server: nginx/1.17.10 date: Tue, 17 Aug 2021 08:20:48 GMT location: /dex/auth?client_id=authservice....root@rok-tools:~/ops/deployments# kubectl exec -ti -n rok-registry svc/rok-registry -- \ > curl --connect-timeout 5 ${ENDPOINT?} -I HTTP/2 302 server: nginx/1.17.10 date: Tue, 17 Aug 2021 08:20:48 GMT location: /dex/auth?client_id=authservice....Troubleshooting
Connection timed out
Ensure that your Load Balancer allows traffic coming from inside your cluster. Edit
loadBalancerSourceRanges
of youringress-nginx
LoadBalancer service accordingly.
Summary¶
You have successfully specified one or more trusted certificate authorities (CA) that Rok or Rok Registry will use when making egress connections.
What’s Next¶
Check out the rest of the maintenance operations that you can perform on your cluster.