Configuring Trusted TLS

Question 1

Where are the certs used?

Answer 1

1) wildcard cert in ingress controller operator (all .apps subdomains)
2) API certificate.
3) Edge route that uses a wildcard certificate.

Question 2

What are requirements for wildcard cert

Answer 2

1) PEM format
2) Extension subjectAltName with value: *.apps./OPENSHIFT-DOMAIN/

Question 3

Changing the certificate used by the ingress controller operator does affect certificates signed by the internal OpenShift certificate authority. True or False

Answer 3

False

Question 4

Steps to setup ingres controler cert

Answer 4

1) create a new ccm in the openshift-config namespace
2) Configure the cluster proxy to use the new cm
3) Create a new TLS secret in the openshift-ingress namespace
4) Modify the default ingress controller operator in the openshift-ingress-operator namespace so that defaultCertificate uses the newly created secret

Question 5

Create a cm to setup ingres controler wildcard domain

Answer 5

oc create configmap <CONFIGMAP-NAME> \
--from-file ca-bundle.crt=<PATH-TO-CERTIFICATE> \
-n openshift-config</PATH-TO-CERTIFICATE></CONFIGMAP-NAME>

Question 6

Configure cluster proxy to use a new cm to setup ingres controler wildcard domain

Answer 6

oc patch proxy/cluster –type=merge \
–patch=’{“spec”:{“trustedCA”:{“name”:”<CONFIGMAP-NAME>"}}}'</CONFIGMAP-NAME>

Question 7

Create TLS secret to setup ingres controler wildcard domain

Answer 7

oc create secret tls <SECRET-NAME> \
--cert <PATH-TO-CERTIFICATE> \
--key <PATH-TO-KEY> \
-n openshift-ingress</PATH-TO-KEY></PATH-TO-CERTIFICATE></SECRET-NAME>

Question 8

Modify the default ingress controller operator in the openshift-ingress-operator namespace so that defaultCertificate uses the newly created secret

Answer 8

oc patch ingresscontroller.operator/default \
-n openshift-ingress-operator –type=merge \
–patch=’{“spec”: {“defaultCertificate”: {“name”: “<SECRET-NAME>"}}}'</SECRET-NAME>

Question 9

Check the progress of setting up ingres controller wildcard domain

Answer 9

watch oc get pods -n openshift-ingress

Question 10

What is the impact of changing the OpenShift master API?

Answer 10

allows users to log in securely using the oc command

Question 11

Requirements to change the master API certificate

Answer 11

1) PEM format.
2) The certificate is issued through master API, such as api.ocp4.example.com.
3) subjectAltName extension contains the URL used to access the master API, such as DNS: api.ocp4.example.com.

Question 12

Steps to change the master API cert

Answer 12

1) Create TLS secret in the openshift-config namespace using the master API certificate and key
2) Modify the cluster API server to use the new secret

Question 13

Check that master api change is taking effect

Answer 13

1) oc get clusteroperator/kube-apiserver
2) oc get pods -l app=openshift-kube-apiserver \
-n openshift-kube-apiserver”

Question 14

Create TLS secret in the openshift-config namespace using the master API certificate and key

Answer 14

oc create secret tls <SECRET-NAME> \
--cert <PATH-TO-CERTIFICATE> \
--key <PATH-TO-KEY> \
-n openshift-config</PATH-TO-KEY></PATH-TO-CERTIFICATE></SECRET-NAME>

Question 15

Modify the cluster API server to use the new secret

Answer 15

oc patch apiserver cluster –type=merge \
-p ‘{“spec”: {“servingCerts”: {“namedCertificates”:’\
‘[{“names”: [“<API-SERVER-URL>"],'\
'"servingCertificate": {"name": "<SECRET-NAME>"}}]}}}'</SECRET-NAME></API-SERVER-URL>

Question 16

Configure your system can be to trust your enterprise CA

Answer 16

1) Copy your enterprise CA certificate to the /etc/pki/ca-trust/source/anchors
2) Run the update-ca-trust extract command

Question 17

Why include the enterprise CA cert in a trusted CA bundle

Answer 17

Useful when apps running in OpenShift must communicate with URLs signed by your enterprise CA

Question 18

By default, applications do trust the enterprise CA. True or False

Answer 18

False

Question 19

How do you check if your enterprise CA cert is already included in the CA bundle?

Answer 19

1) oc get proxy/cluster \
-o jsonpath=’{.spec.trustedCA.name}{“\n”}’

<CONFIGMAP-NAME>

2) oc extract configmap <CONFIGMAP-NAME> \
-n openshift-config --confirm
</CONFIGMAP-NAME></CONFIGMAP-NAME>

Question 20

You realize cm does not contain the enterprise CA certificate. what do you do?

Answer 20

1) Combine the wildcard cert and the enterprise CA cert in a new PEM file
2) Add comments, # Wildcard Cert above the wildcard cert and # Enterprise CA, above the enterprise CA cert
3) Replace the configuration map with the new cert

Question 21

How do you replace the CA cert cm

Answer 21

oc set data configmap <CONFIGMAP-NAME> \
--from-file ca-bundle.crt=<PATH-TO-NEW-CERTIFICATE> -n openshift-config</PATH-TO-NEW-CERTIFICATE></CONFIGMAP-NAME>

Question 22

How do you use the trusted CA bundle in a pod?

Answer 22

1) create an empty configuration map
2) label the cm with config.openshift.io/inject-trusted-cabundle=true label
3) Mount the cm into the pod:

oc set volume dc/<DC-NAME> -t configmap \
--name trusted-ca --add --read-only=true \
--mount-path /etc/pki/ca-trust/extracted/pem \
--configmap-name <CONFIGMAP-NAME></CONFIGMAP-NAME></DC-NAME>

4) edit the dc so the pod mounts the certificate bundle

Question 23

edit the dc so the pod mounts the certificate bundle

Answer 23

Question 24

verify that an app trusts certs signed by your enterprise CA

Answer 24

1) oc rsh hello-3-65qs7
2) ls /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
3) curl https://hello.apps.ocp4.example.com

Question 25

Display the cluster proxy resource definition

Answer 25

oc get proxy/cluster -o yaml

Question 26

Determine certs thst the cluster proxy trusts

Answer 26

oc get proxy/cluster -o yaml Check trustedCA

Question 27

ways to troubleshoot these certificates

Answer 27

1) review the resource via the web console 2) use the command-line interface, 3) use tools such as openssl

Question 28

Typical cert admn tasks

Answer 28

1) monitoring of custom certificate expiry dates 2) renewal of certs before production is affected.

Question 29

While adding a certificate for the API server, how do you monitor the status?

Answer 29

watch oc get clusteroperator/kube-apiserver

Question 30

While adding a certificate for the API server, you get an error when watching api-server cluster operator. what do you do?

Answer 30

oc logout command followed by the oc login

Question 31

procedure to determine expiry date of API Server Certificate

Answer 31

1) identify the name of the secret containing the certificate used by the API server: oc get apiserver/cluster -o yaml 2) Extract the secret oc extract secret/ -n openshift-config --confirm 3) use the openssl to inspect the certificate openssl x509 -in tls.crt -noout -dates

Question 32

procedure to renew API Server cert

Answer 32

1) follow your company procedures to request a new certificate 2) CSR for the cert renewal must contain the subjectAltName extension for the URL used to access the API server, such as DNS:api.ocp4.example.com 3) renew the certificate in place oc set data secret \ --from-file tls.crt= \ --from-file tls.key= \ -n openshift-config

Question 33

What are some of the routes that OpenShift ingress controller manages?

Answer 33

OAuth, the web console, and Prometheus

Question 34

renew the ingress controller certificate,

Answer 34

1) identify the name of the secret containing the cert used by the ingress controller. 2) Extract the secret 3) use openssl to verify the dates

Question 35

identify the name of the secret containing the cert used by the ingress controller.

Answer 35

oc get ingresscontroller/default -n openshift-ingress-operator \ -o jsonpath='{.spec.defaultCertificate.name}{"\n"}'

Question 36

Extract the secret for ingress controller

Answer 36

oc extract secret/ -n openshift-ingress --confirm

Question 37

inspect the certificate

Answer 37

openssl x509 -in tls.crt -noout -dates

Question 38

Certificate is not updating in the cluster, what do you need to check?

Answer 38

1) Use the openssl to check if new certificate is valid. 2) Verify that the notBefore date is in the past and the notAfter date is in the future. 3) compare the certificate serial numbers

Question 39

compare the certificate serial number

Answer 39

1) oc get secret -n openshift-config \ -o jsonpath='{.data.}' | base64 -di | openssl x509 -noout -serial* 2) openssl x509 -in -noout -serial

Question 40

The kube-apiserver pods do not redeploy after an in place certificate update. what to do?

Answer 40

oc get events --sort-by='.lastTimestamp' \ -n openshift-kube-apiserver

Question 41

Troubleshooting Ingress Controller Certificates

Answer 41

oc get pods -n openshift-ingress

Question 42

Extract validity dates for certs used by an API

Answer 42

curl -v -k \ https://console-openshift-console.apps.ocp4.example.com 2>&1 | \ grep -E 'date|expired'