|
| 1 | +# Update SAML2 Certificate |
| 2 | + |
| 3 | +The OpenSSL certificate used by Laddr's Single Sign-On (SSO) integration with Slack needs to be refreshed occasionally when it nears or passes its expiration date |
| 4 | + |
| 5 | +## Generate a new certificate |
| 6 | + |
| 7 | +On any computer with the `openssl` command installed (readily available on macOS and Linux), you can generate the new key+certificate pair before installing it to your Slack and Laddr instances: |
| 8 | + |
| 9 | +1. Generate private key: |
| 10 | + |
| 11 | + ```bash |
| 12 | + openssl genrsa \ |
| 13 | + -out ./laddr-slack-private-key.pem \ |
| 14 | + 1024 |
| 15 | + ``` |
| 16 | + |
| 17 | +2. Generate public certificate: |
| 18 | + |
| 19 | + ```bash |
| 20 | + openssl req -new -x509 \ |
| 21 | + -days 1095 \ |
| 22 | + -key ./laddr-slack-private-key.pem \ |
| 23 | + -out ./laddr-slack-public-cert.pem |
| 24 | + ``` |
| 25 | + |
| 26 | + *Fill out the prompts with appropriate information about your organization. These values don't really matter for anything* |
| 27 | +
|
| 28 | +3. If your Laddr instance is hosted on Kubernetes, encode the two generated files into a `Secret` manifest (you only need the `kubectl` command installed on your local system for this, it does *not* need to be connected to any cluster): |
| 29 | +
|
| 30 | + ```bash |
| 31 | + kubectl create secret generic saml2 \ |
| 32 | + --output=yaml \ |
| 33 | + --dry-run \ |
| 34 | + --from-file=SAML2_PRIVATE_KEY=./laddr-slack-private-key.pem \ |
| 35 | + --from-file=SAML2_CERTIFICATE=./laddr-slack-public-cert.pem \ |
| 36 | + > ./saml2.secret.yaml |
| 37 | + ``` |
| 38 | +
|
| 39 | +4. If your cluster uses [sealed secrets](http://civic-cloud.phl.io/development/features/sealed-secrets/), seal the newly-created secret: |
| 40 | +
|
| 41 | + ```bash |
| 42 | + export SEALED_SECRETS_CERT=https://sealed-secrets.live.k8s.phl.io/v1/cert.pem |
| 43 | + kubeseal \ |
| 44 | + --namespace "my-project" \ |
| 45 | + -f ./saml2.secret.yaml \ |
| 46 | + -w ./saml2.sealed-secret.yaml |
| 47 | + ``` |
| 48 | +
|
| 49 | + *Be sure to replace `my-project` with the namespace your instance is deployed within* |
| 50 | +
|
| 51 | +5. Deploy the sealed secret to your cluster |
| 52 | +
|
| 53 | + *In Code for Philly's case, that means updating [`saml2.yaml`](https://github.com/CodeForPhilly/cfp-live-cluster/blob/main/code-for-philly.secrets/saml2.yaml) with the new content and then merging the generated deploy PR. After the deploy, you may need to delete the existing secret in order for the `sealed-secrets` operator to replace it with the updated secret* |
| 54 | + |
| 55 | +6. Finally, visit <https://my-org.slack.com/admin/auth/saml?sudo=1> and edit the **Public Certificate**, pasting the contents of `./laddr-slack-public-cert.pem`: |
| 56 | + |
| 57 | + ```bash |
| 58 | + cat ./laddr-slack-public-cert.pem |
| 59 | + # paste output to Slack admin webpage |
| 60 | + ``` |
| 61 | + |
| 62 | + *Slack will not let you save the new public certificate until it's been successfully applied to the host* |
0 commit comments