Trust Custom CA¶
This section describes how to configure Rok or Rok Registry to trust a custom CA. This is required to allow Rok or Rok Registry to connect securely with services that use certificates signed by an unknown authority.
Overview
What You’ll Need¶
Choose one of the following options, based on your deployment:
- Your custom CA certificate.
- A configured management environment.
- An existing Rok deployment.
- Your custom CA certificate.
- A configured management environment.
- An existing Rok Registry deployment
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsObtain the custom CA certificate and copy it to your clipboard.
Edit the Kustomize patch and set the corresponding config variable. Choose one of the following options, based on your deployment.
Edit
rok/rok-cluster/overlays/deploy/patches/configvars.yaml
and setcluster.trusted_CA_certs
to the contents of your CA certificate:configVars: ... cluster.trusted_CA_certs: | -----BEGIN CERTIFICATE----- MIIDyjCCArKgAwIBAgIQKX7Wxtqubey4K/qRvAFCETANBgkqhkiG9w0BAQsFADBM MRUwEwYDVQQKEwxjZXJ0LW1hbmFnZXIxMzAxBgNVBAMTKmE0OTI0ODE5MzU5MjM0 .... -----END CERTIFICATE-----Edit
rok/rok-registry-cluster/overlays/deploy/patches/rokregistrycluster-configvars.yaml
and setcluster.trusted_CA_certs
to the contents of your CA certificate:configVars: ... cluster.trusted_CA_certs: | -----BEGIN CERTIFICATE----- MIIDyjCCArKgAwIBAgIQKX7Wxtqubey4K/qRvAFCETANBgkqhkiG9w0BAQsFADBM MRUwEwYDVQQKEwxjZXJ0LW1hbmFnZXIxMzAxBgNVBAMTKmE0OTI0ODE5MzU5MjM0 .... -----END CERTIFICATE-----Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Trust Custom CA"Apply the kustomization. Choose one of the following options, based on your deployment.
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-cluster/overlays/deployroot@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-registry-cluster/overlays/deploy
Verify¶
Assuming you have exposed your deployment with a certificate signed by your custom CA, follow the steps below to verify that this CA is considered as trusted.
Specify the endpoint of an HTTPS service that uses a certificate signed by your custom CA:
root@rok-tools:~/ops/deploymnets# export ENDPOINT=<ENDPOINT>Replace
<ENDPOINT>
with the endpoint of your HTTPS service. For example:root@rok-tools:~/ops/deploymnets# export ENDPOINT=https://arrikto-cluster.apps.example.com/registry/Exec into the Pod and try to access your Dashboard. Choose one of the following options, based on your deployment.
root@rok-tools:~/ops/deployments# kubectl exec -ti -n rok svc/rok -- \ > curl --connect-timeout 5 ${ENDPOINT?} -I HTTP/2 302 server: nginx/1.17.10 date: Tue, 17 Aug 2021 08:20:48 GMT location: /dex/auth?client_id=authservice....root@rok-tools:~/ops/deployments# kubectl exec -ti -n rok-registry svc/rok-registry -- \ > curl --connect-timeout 5 ${ENDPOINT?} -I HTTP/2 302 server: nginx/1.17.10 date: Tue, 17 Aug 2021 08:20:48 GMT location: /dex/auth?client_id=authservice....Troubleshooting
Connection timed out
Ensure that your Load Balancer allows traffic coming from inside your cluster. Edit
loadBalancerSourceRanges
of youringress-nginx
LoadBalancer service accordingly.
What’s Next¶
Check out the rest of the maintenance operations that you can perform on your cluster.