Local certificate appendix

Adding "Locally create certificates" appendix Signed-off-by: Stone <ronald.stone@windriver.com> Change-Id: I4f5446a7015884a3d0eee6182dceaef71c64e97f
2021-03-19 16:28:55 -04:00
parent dcd3a8b8cc
commit 0a0a012ec5
3 changed files with 186 additions and 4 deletions
--- a/doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst
+++ b/doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst
@@ -0,0 +1,108 @@
 .. qtr1594910639395
 .. _creating-certificates-locally-using-cert-manager-on-the-controller:
 ================================================================
 Create Certificates Locally using cert-manager on the Controller
 ================================================================
 You can use :command:`cert-manager` to locally create certificates suitable for
 use in a lab environment.
 .. rubric:: |proc|
 #.  Create a Root |CA| Certificate and Key.
    #.  Create a self-signing issuer.
        .. code-block:: none
            $ echo "
            apiVersion: cert-manager.io/v1alpha2
            kind: Issuer
            metadata:
              name: my-selfsigning-issuer
            spec:
              selfSigned: {}
            " | kubectl apply -f -
    #.  Create a Root |CA| certificate and key.
        .. code-block:: none
            $ echo "
            apiVersion: cert-manager.io/v1alpha2
            kind: Certificate
            metadata:
              name: my-rootca-certificate
            spec:
              secretName: my-rootca-certificate
              commonName: "my-rootca"
              isCA: true
              issuerRef:
                name: my-selfsigning-issuer
                kind: Issuer
            " | kubectl apply -f -
    #.  Create a Root |CA| Issuer.
        .. code-block:: none
            $ echo "
            apiVersion: cert-manager.io/v1alpha2
            kind: Issuer
            metadata:
              name: my-rootca-issuer
            spec:
              ca:
                secretName: my-rootca-certificate
            " | kubectl apply -f -
    #.  Create files for the Root |CA| certificate and key.
        .. code-block:: none
            $ kubectl get secret my-rootca-certificate -o yaml | egrep "^  tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem
            $ kubectl get secret my-rootca-certificate -o yaml | egrep "^  tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem
 #.  Create and sign a Server certificate and key
    #.  Create the Server certificate and key.
        .. code-block:: none
            $ echo "
            apiVersion: cert-manager.io/v1alpha2
            kind: Certificate
            metadata:
              name: my-server-certificate
            spec:
              secretName: my-server-certificate
              duration: 2160h # 90d
              renewBefore: 360h # 15d
              organization:
              - WindRiver
              commonName: 1.1.1.1
              dnsNames:
              - myserver.wrs.com
              ipAddresses:
              - 1.1.1.1
              issuerRef:
                name: my-rootca-issuer
                kind: Issuer
            " | kubectl apply -f -
    #.  Create the |PEM| files for Server certificate and key.
        .. code-block:: none
            $ kubectl get secret my-server-certificate -o yaml | egrep "^  tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem
            $ kubectl get secret my-server-certificate -o yaml | egrep "^  tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem
    #.  Combine the server certificate and key in a single file.
        .. code-block:: none
            $ cat my-server-cert.pem my-server-key.pem > my-server.pem
--- a/doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst
+++ b/doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst
@@ -0,0 +1,64 @@
 .. rmn1594906401238
 .. _creating-certificates-locally-using-openssl:
 =========================================
 Create Certificates Locally using openssl
 =========================================
 You can use :command:`openssl` to locally create certificates suitable for use
 in a lab environment.
 .. rubric:: |proc|
 .. _creating-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb:
 #.  Create a Root |CA| Certificate and Key
    #.  Create the Root |CA| private key.
        .. code-block:: none
            $ openssl genrsa -out my-root-ca-key.pem 2048
    #.  Generate the Root |CA| x509 certificate.
        .. code-block:: none
            $ openssl req -x509 -new -nodes -key my-root-ca-key.pem -days 1024 -out my-root-ca-cert.pem -outform PEM
 #.  Create and sign a server certificate and key.
    #.  Create the server private key.
        .. code-block:: none
            $ openssl genrsa -out my-server-key.pem 2048
    #.  Create the Server certificate signing request \(csr\).
        Specify CN=<WRCP-OAM-Floating-IP> and do **not** specify a challenge
        password.
        .. code-block:: none
            $ openssl req -new -key my-server-key.pem -out my-server.csr
    #.  Create the |SANs| list.
        .. code-block:: none
            $ echo subjectAltName = IP:<WRCP-OAM-Floating-IP>,DNS:registry.local,DNS:registry.central > extfile.cnf
    #.  Use the my-root-ca to sign the server certificate.
        .. code-block:: none
            $ openssl x509 -req -in my-server.csr -CA my-root-ca-cert.pem -CAkey my-root-ca-key.pem -CAcreateserial -out my-server-cert.pem -days 365 -extfile extfile.cnf
    #.  Put the server certificate and key in a single file.
        .. code-block:: none
            $ cat my-server-cert.pem my-server-key.pem > my-server.pem
--- a/doc/source/security/kubernetes/index.rst
+++ b/doc/source/security/kubernetes/index.rst
@@ -310,11 +310,21 @@ Security Features
   security-hardening-firewall-options
   isolate-starlingx-internal-cloud-management-network
-********
+*********************************************************
-Appendix
+Appendix: Certificate management for admin REST endpoints
-********
+*********************************************************
 .. toctree::
   :maxdepth: 1
   certificate_management_for_admin_rest_api_endpoints
 ***************************************
 Appendix: Locally creating certifciates 
 ***************************************
 .. toctree::
   :maxdepth: 1
   creating-certificates-locally-using-cert-manager-on-the-controller
   creating-certificates-locally-using-openssl