Trust Custom CA

This section describes how to configure Rok or Rok Registry to trust a custom CA. This is required to allow Rok or Rok Registry to connect securely with services that use certificates signed by an unknown authority.

What You’ll Need

Choose one of the following options, based on your deployment:

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
    
  2. Obtain the custom CA certificate and copy it to your clipboard.

  3. Edit the Kustomize patch and set the corresponding config variable. Choose one of the following options, based on your deployment.

    Edit rok/rok-cluster/overlays/deploy/patches/configvars.yaml and set cluster.trusted_CA_certs to the contents of your CA certificate:

    configVars:
      ...
      cluster.trusted_CA_certs: |
        -----BEGIN CERTIFICATE-----
        MIIDyjCCArKgAwIBAgIQKX7Wxtqubey4K/qRvAFCETANBgkqhkiG9w0BAQsFADBM
        MRUwEwYDVQQKEwxjZXJ0LW1hbmFnZXIxMzAxBgNVBAMTKmE0OTI0ODE5MzU5MjM0
        ....
        -----END CERTIFICATE-----
    

    Edit rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-configvars.yaml and set cluster.trusted_CA_certs to the contents of your CA certificate:

    configVars:
      ...
      cluster.trusted_CA_certs: |
        -----BEGIN CERTIFICATE-----
        MIIDyjCCArKgAwIBAgIQKX7Wxtqubey4K/qRvAFCETANBgkqhkiG9w0BAQsFADBM
        MRUwEwYDVQQKEwxjZXJ0LW1hbmFnZXIxMzAxBgNVBAMTKmE0OTI0ODE5MzU5MjM0
        ....
        -----END CERTIFICATE-----
    
  4. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Trust Custom CA"
    
  5. Apply the kustomization. Choose one of the following options, based on your deployment.

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-cluster/overlays/deploy
    
    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-registry-cluster/overlays/deploy
    

Verify

Assuming you have exposed your deployment with a certificate signed by your custom CA, follow the steps below to verify that this CA is considered as trusted.

  1. Specify the endpoint of an HTTPS service that uses a certificate signed by your custom CA:

    root@rok-tools:~/ops/deploymnets# export ENDPOINT=<ENDPOINT>
    

    Replace <ENDPOINT> with the endpoint of your HTTPS service. For example:

    root@rok-tools:~/ops/deploymnets# export ENDPOINT=https://arrikto-cluster.apps.example.com/registry/
    
  2. Exec into the Pod and try to access your Dashboard. Choose one of the following options, based on your deployment.

    root@rok-tools:~/ops/deployments# kubectl exec -ti -n rok svc/rok -- \
    >     curl --connect-timeout 5 ${ENDPOINT?} -I
    HTTP/2 302
    server: nginx/1.17.10
    date: Tue, 17 Aug 2021 08:20:48 GMT
    location: /dex/auth?client_id=authservice....
    
    root@rok-tools:~/ops/deployments# kubectl exec -ti -n rok-registry svc/rok-registry -- \
    >     curl --connect-timeout 5 ${ENDPOINT?} -I
    HTTP/2 302
    server: nginx/1.17.10
    date: Tue, 17 Aug 2021 08:20:48 GMT
    location: /dex/auth?client_id=authservice....
    
    Troubleshooting
    Connection timed out

    Ensure that your Load Balancer allows traffic coming from inside your cluster. Edit loadBalancerSourceRanges of your ingress-nginx LoadBalancer service accordingly.

Summary

You have successfully trusted your custom CA in your Rok and Rok Registry deployment.

What’s Next

Check out the rest of the maintenance operations that you can perform on your cluster.