(CA) SSL certificates and overrides

Connectivity between the components within the kubernetes cluster and from the browser to Global Controller needs to be secure, and the certificates need to be valid/trusted.

In the scenarios where the Client uses self-signed certificates, the certificates need to be valid and trusted.

Client should provide the CA SSL certificate so that different components can be (re)configured to trust the issuer of the SSL

There are few places which might need to be updated, so components validate the Trust of the SSL certificates via CA certificates.

MetalSoft strongly recommend that the certificates are monitored from an external source.

SSL for the FQDN through which Global Controller (GC) is accessed via browser

When the ssl for accessing the FQDN via browser is not by an official/trusted authority, the CA needs to be imported within the Browser or OS of the workstation accessing the hostname.

This is accomplished by the worksation’s local administrators within the Organization.

Once the CA is installed and set as trusted, then any SSL issued by that CA will not be rejected.

SSL between Global Controller (GC) and Site Controller (SC)

Both, GC and SC need to have a copy of the CA SSL certificate:

#Ubuntu/debian:
cp ca.crt /usr/local/share/ca-certificates/
cp ca.crt /etc/ssl/certs/
update-ca-certificates

#RHEL:
cp ca.crt /etc/ssl/certs/
cp ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

SC containers then need to be restarted, to re-mount the OS-level CA certificates.

SSL between Site Controller (SC) and Servers microservice or Image-builder microservice

Image-builder microservice manifest manifests/image-builder-deployment.yaml needs to be updated to include the CA certificate. (valid also for Auth microservice manifests/auth-deployment.yaml)

            - name: ca-pemstore
              mountPath: /etc/pki/ca-trust/source/anchors/metalsoft_CA.crt
              subPath: metalsoft_CA.crt

or the application to be instructed to not reject an untrusted certificate.

          env:
            - name: NODE_TLS_REJECT_UNAUTHORIZED
              value: "0"

for that to work, a configmap manifests/configmaps.yaml needs to be applied, which contains the actual PEM formatted CA SSL certificate:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: ca-pemstore
  namespace: demo-metalsoft
data:
  metalsoft_CA.crt: |
    -----BEGIN CERTIFICATE-----
    MIIEBzCCAu+gAwIBAgIUTObwqnwPcZW4sZ5RvTl++4G/4+EwDQYJKoZIhvcNAQEL
    BQAwgZIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJJTDEQMA4GA1UEBwwHQ2hpY2Fn
    bzEcMBoGA1UECgwTTWV0YWxzb2Z0IENsb3VkIEluYzELMAkGA1UECwwCSVQxFTAT
    BgNVBAMMDG1ldGFsc29mdC5pbzEiMCAGCSqGSIb3DQEJARYTc3lzb3BzQG1ldGFs
    c29mdC5pbzAeFw0yMjA1MjEwODEyNDNaFw0yNzA1MjAwODEyNDNaMIGSMQswCQYD
    VQQGEwJVUzELMAkGA1UECAwCSUwxEDAOBgNVBAcMB0NoaWNhZ28xHDAaBgNVBAoM
    E01ldGFsc29mdCBDbG91ZCBJbmMxCzAJBgNVBAsMAklUMRUwEwYDVQQDDAxtZXRh
    bHNvZnQuaW8xIjAgBgkqhkiG9w0BCQEWE3N5c29wc0BtZXRhbHNvZnQuaW8wggEi
    MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDp42R+t6p23lhjppq83K2b3mbf
    2KLIQ5IncUr0vgPp0NtWDbPFfK5HSWy0x62Gtux5SkmPOt3FwS0r1/BqgLrgM5rP
    ZTPpf/t0jSSh0vnCBP47XmPq4kDNF8rpxCgCoxEH+JWjdnJLBAO72qNdP5h2eAq1
    rFuwy71BFAC+qL9o64d/H0IJ4SHj9h1y2gnq7gAyiyLF7kw/PTXD5OA4zonrmBwL
    JdYmvXxmJjgi4W86X48pCdLowxFk5skZQTGSXZLcoblDXWRSwrc3s65EDhP53FVC
    qNjD1fxAV6fkLwkp8C0JXqQ+0vn3PBu7BO6MwZE5OgnWjq93FXHULDkpRlbDAgMB
    AAGjUzBRMB0GA1UdDgQWBBRsQNxcbzofE3L9TIiLqon4J+/ACTAfBgNVHSMEGDAW
    gBRsQNxcbzofE3L9TIiLqon4J+/ACTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
    DQEBCwUAA4IBAQAXiLcar3aHHL8el2auZB6BqWUWLmTYUyTC6bizWvn+vhe4bpNC
    4lRVrCityEecX2VzbR7WVOa2j5GwStoaJPDFeZf1ESN/HvTl9n4B7eInB7u/qb/g
    QWsValgGyvfMdk4MDFOTigoEM3XBdXkAq/PwAipr7BpoKDSltArLbG2pxC0A61lo
    3/i8Zqf4XhAAHUyS4bx7VmapY6wfE6bBh5ckijrenhsvO5u52oXJWDXo0TJM+x0L
    pmN4bRq+IcraOaLIwVmon9ggvO4Cjt+V9cF99SHB/jawlflX/XL3DVvapT3sKJYo
    dvVIE0i3gwt0+qhni75EgUbufGrVlO5aC1BK
    -----END CERTIFICATE-----

SSL between Site Controller (SC) and repository microservice

if SC is using a local repository with self-signed or custom SSL, SC needs to trust the connection to that repository:

so the SC in its OS-level CA certificates should contain that CA certificate.

#Ubuntu/debian:
cp ca.crt /usr/local/share/ca-certificates/
cp ca.crt /etc/ssl/certs/
update-ca-certificates

#RHEL:
cp ca.crt /etc/ssl/certs/
cp ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

SC containers then need to be restarted, to re-mount the OS-level CA certificates.