OSSM-3352: Split ossm-security-cert-manage file into 3 ossm-cert-cleanup, ossm-cert-manage-add, ossm-cert-manage-verify to bring file into compliance with current doc practices. No review is needed as only architectural change. Content has been previously reviewed and approved.

gwynnemonahan · gwynnemonahan · commit 39ffb4d40083 · 2023-03-21T15:01:14.000-06:00
diff --git a/modules/ossm-cert-cleanup.adoc b/modules/ossm-cert-cleanup.adoc
@@ -0,0 +1,28 @@
+// Module included in the following assemblies:
+//
+// * service_mesh/v2x/ossm-security.adoc
+
+:_content-type: PROCEDURE
+[id="ossm-cert-cleanup_{context}"]
+== Removing the certificates
+
+To remove the certificates you added, follow these steps.
+
+. Remove the secret `cacerts`. In this example, `istio-system` is the name of the {SMProductShortName} control plane project.
++
+[source,terminal]
+----
+$ oc delete secret cacerts -n istio-system
+----
++
+. Redeploy {SMProductShortName} with a self-signed root certificate in the `ServiceMeshControlPlane` resource.
++
+[source,yaml]
+----
+apiVersion: maistra.io/v2
+kind: ServiceMeshControlPlane
+spec:
+  security:
+    dataPlane:
+      mtls: true
+----
diff --git a/modules/ossm-cert-manage-add-cert-key.adoc b/modules/ossm-cert-manage-add-cert-key.adoc
@@ -0,0 +1,75 @@
+// Module included in the following assemblies:
+//
+// * service_mesh/v2x/ossm-security.adoc
+
+:_content-type: PROCEDURE
+[id="ossm-cert-manage-add-cert-key_{context}"]
+== Adding an existing certificate and key
+
+To use an existing signing (CA) certificate and key, you must create a chain of trust file that includes the CA certificate, key, and root certificate. You must use the following exact file names for each of the corresponding certificates. The CA certificate is named `ca-cert.pem`, the key is `ca-key.pem`, and the root certificate, which signs `ca-cert.pem`, is named `root-cert.pem`. If your workload uses intermediate certificates, you must specify them in a `cert-chain.pem` file.
+
+. Save the example certificates from the link:https://github.com/maistra/istio/tree/maistra-{MaistraVersion}/samples/certs[Maistra repository] locally and replace `<path>` with the path to your certificates.
+
+. Create a secret named `cacert` that includes the input files `ca-cert.pem`, `ca-key.pem`, `root-cert.pem` and `cert-chain.pem`.
++
+[source,terminal]
+----
+$ oc create secret generic cacerts -n istio-system --from-file=<path>/ca-cert.pem \
+    --from-file=<path>/ca-key.pem --from-file=<path>/root-cert.pem \
+    --from-file=<path>/cert-chain.pem
+----
++
+. In the `ServiceMeshControlPlane` resource set `spec.security.dataPlane.mtls true` to `true` and configure the `certificateAuthority` field as shown in the following example. The default `rootCADir` is `/etc/cacerts`. You do not need to set the `privateKey` if the key and certs are mounted in the default location.  {SMProductShortName} reads the certificates and key from the secret-mount files.
++
+[source,yaml]
+----
+apiVersion: maistra.io/v2
+kind: ServiceMeshControlPlane
+spec:
+  security:
+    dataPlane:
+      mtls: true
+    certificateAuthority:
+      type: Istiod
+      istiod:
+        type: PrivateKey
+        privateKey:
+          rootCADir: /etc/cacerts
+----
+
+. After creating/changing/deleting the `cacert` secret, the {SMProductShortName} control plane `istiod` and `gateway` pods must be restarted so the changes go into effect. Use the following command to restart the pods:
++
+[source,terminal]
+----
+$ oc -n istio-system delete pods -l 'app in (istiod,istio-ingressgateway, istio-egressgateway)'
+----
++
+The Operator will automatically recreate the pods after they have been deleted.
+
+. Restart the bookinfo application pods so that the sidecar proxies pick up the secret changes. Use the following command to restart the pods:
++
+[source,terminal]
+----
+$ oc -n bookinfo delete pods --all
+----
++
+You should see output similar to the following:
++
+
+[source,terminal]
+----
+pod "details-v1-6cd699df8c-j54nh" deleted
+pod "productpage-v1-5ddcb4b84f-mtmf2" deleted
+pod "ratings-v1-bdbcc68bc-kmng4" deleted
+pod "reviews-v1-754ddd7b6f-lqhsv" deleted
+pod "reviews-v2-675679877f-q67r2" deleted
+pod "reviews-v3-79d7549c7-c2gjs" deleted
+----
+
+. Verify that the pods were created and are ready with the following command:
++
+
+[source,terminal]
+----
+$ oc get pods -n bookinfo
+----
diff --git a/modules/ossm-cert-manage-verify-cert.adoc b/modules/ossm-cert-manage-verify-cert.adoc
@@ -0,0 +1,76 @@
+// Module included in the following assemblies:
+//
+// * service_mesh/v2x/ossm-security.adoc
+
+:_content-type: PROCEDURE
+[id="ossm-cert-manage-verify-cert_{context}"]
+== Verifying your certificates
+
+Use the Bookinfo sample application to verify that the workload certificates are signed by the certificates that were plugged into the CA. This requires you have `openssl` installed on your machine
+
+. To extract certificates from bookinfo workloads use the following command:
++
+[source,terminal]
+----
+$ sleep 60
+$ oc -n bookinfo exec "$(oc -n bookinfo get pod -l app=productpage -o jsonpath={.items..metadata.name})" -c istio-proxy -- openssl s_client -showcerts -connect details:9080 > bookinfo-proxy-cert.txt
+$ sed -n '/-----BEGIN CERTIFICATE-----/{:start /-----END CERTIFICATE-----/!{N;b start};/.*/p}' bookinfo-proxy-cert.txt > certs.pem
+$ awk 'BEGIN {counter=0;} /BEGIN CERT/{counter++} { print > "proxy-cert-" counter ".pem"}' < certs.pem
+----
++
+After running the command, you should have three files in your working directory: `proxy-cert-1.pem`, `proxy-cert-2.pem` and `proxy-cert-3.pem`.
+
+. Verify that the root certificate is the same as the one specified by the administrator. Replace `<path>` with the path to your certificates.
++
+[source,terminal]
+----
+$ openssl x509 -in <path>/root-cert.pem -text -noout > /tmp/root-cert.crt.txt
+----
++
+Run the following syntax at the terminal window.
++
+[source,terminal]
+----
+$ openssl x509 -in ./proxy-cert-3.pem -text -noout > /tmp/pod-root-cert.crt.txt
+----
++
+Compare the certificates by running the following syntax at the terminal window.
++
+[source,terminal]
+----
+$ diff -s /tmp/root-cert.crt.txt /tmp/pod-root-cert.crt.txt
+----
++
+You should see the following result:
+`Files /tmp/root-cert.crt.txt and /tmp/pod-root-cert.crt.txt are identical`
+
+
+. Verify that the CA certificate is the same as the one specified by the administrator. Replace `<path>` with the path to your certificates.
++
+[source,terminal]
+----
+$ openssl x509 -in <path>/ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt
+----
+Run the following syntax at the terminal window.
++
+[source,terminal]
+----
+$ openssl x509 -in ./proxy-cert-2.pem -text -noout > /tmp/pod-cert-chain-ca.crt.txt
+----
+Compare the certificates by running the following syntax at the terminal window.
++
+[source,terminal]
+----
+$ diff -s /tmp/ca-cert.crt.txt /tmp/pod-cert-chain-ca.crt.txt
+----
+You should see the following result:
+`Files /tmp/ca-cert.crt.txt and /tmp/pod-cert-chain-ca.crt.txt are identical.`
+
+. Verify the certificate chain from the root certificate to the workload certificate. Replace `<path>` with the path to your certificates.
++
+[source,terminal]
+----
+$ openssl verify -CAfile <(cat <path>/ca-cert.pem <path>/root-cert.pem) ./proxy-cert-1.pem
+----
+You should see the following result:
+`./proxy-cert-1.pem: OK`
diff --git a/modules/ossm-security-cert-manage.adoc b/modules/ossm-security-cert-manage.adoc
@@ -2,6 +2,7 @@
 //
 // * service_mesh/v2x/ossm-security.adoc
 
+:_content-type: CONCEPT
 [id="ossm-cert-manage_{context}"]
 = Adding an external certificate authority key and certificate
 
@@ -13,170 +14,3 @@ By default, {SMProductName} generates a self-signed root certificate and key and
 * This example uses the certificates from the link:https://github.com/maistra/istio/tree/maistra-{MaistraVersion}/samples/certs[Maistra repository]. For production, use your own certificates from your certificate authority.
 * Deploy the Bookinfo sample application to verify the results with these instructions.
 * OpenSSL is required to verify certificates.
-
-[id="ossm-cert-manage-add-cert-key_{context}"]
-== Adding an existing certificate and key
-
-To use an existing signing (CA) certificate and key, you must create a chain of trust file that includes the CA certificate, key, and root certificate. You must use the following exact file names for each of the corresponding certificates. The CA certificate is named `ca-cert.pem`, the key is `ca-key.pem`, and the root certificate, which signs `ca-cert.pem`, is named `root-cert.pem`. If your workload uses intermediate certificates, you must specify them in a `cert-chain.pem` file.
-
-. Save the example certificates from the link:https://github.com/maistra/istio/tree/maistra-{MaistraVersion}/samples/certs[Maistra repository] locally and replace `<path>` with the path to your certificates.
-
-. Create a secret named `cacert` that includes the input files `ca-cert.pem`, `ca-key.pem`, `root-cert.pem` and `cert-chain.pem`.
-+
-[source,terminal]
-----
-$ oc create secret generic cacerts -n istio-system --from-file=<path>/ca-cert.pem \
-    --from-file=<path>/ca-key.pem --from-file=<path>/root-cert.pem \
-    --from-file=<path>/cert-chain.pem
-----
-+
-. In the `ServiceMeshControlPlane` resource set `spec.security.dataPlane.mtls true` to `true` and configure the `certificateAuthority` field as shown in the following example. The default `rootCADir` is `/etc/cacerts`. You do not need to set the `privateKey` if the key and certs are mounted in the default location.  {SMProductShortName} reads the certificates and key from the secret-mount files.
-+
-[source,yaml]
-----
-apiVersion: maistra.io/v2
-kind: ServiceMeshControlPlane
-spec:
-  security:
-    dataPlane:
-      mtls: true
-    certificateAuthority:
-      type: Istiod
-      istiod:
-        type: PrivateKey
-        privateKey:
-          rootCADir: /etc/cacerts
-----
-
-. After creating/changing/deleting the `cacert` secret, the {SMProductShortName} control plane `istiod` and `gateway` pods must be restarted so the changes go into effect. Use the following command to restart the pods:
-+
-[source,terminal]
-----
-$ oc -n istio-system delete pods -l 'app in (istiod,istio-ingressgateway, istio-egressgateway)'
-----
-+
-The Operator will automatically recreate the pods after they have been deleted.
-
-. Restart the bookinfo application pods so that the sidecar proxies pick up the secret changes. Use the following command to restart the pods:
-+
-[source,terminal]
-----
-$ oc -n bookinfo delete pods --all
-----
-+
-You should see output similar to the following:
-+
-
-[source,terminal]
-----
-pod "details-v1-6cd699df8c-j54nh" deleted
-pod "productpage-v1-5ddcb4b84f-mtmf2" deleted
-pod "ratings-v1-bdbcc68bc-kmng4" deleted
-pod "reviews-v1-754ddd7b6f-lqhsv" deleted
-pod "reviews-v2-675679877f-q67r2" deleted
-pod "reviews-v3-79d7549c7-c2gjs" deleted
-----
-
-. Verify that the pods were created and are ready with the following command:
-+
-
-[source,terminal]
-----
-$ oc get pods -n bookinfo
-----
-
-[id="ossm-cert-manage-verify-cert_{context}"]
-== Verifying your certificates
-
-Use the Bookinfo sample application to verify that the workload certificates are signed by the certificates that were plugged into the CA. This requires you have `openssl` installed on your machine
-
-. To extract certificates from bookinfo workloads use the following command:
-+
-[source,terminal]
-----
-$ sleep 60
-$ oc -n bookinfo exec "$(oc -n bookinfo get pod -l app=productpage -o jsonpath={.items..metadata.name})" -c istio-proxy -- openssl s_client -showcerts -connect details:9080 > bookinfo-proxy-cert.txt
-$ sed -n '/-----BEGIN CERTIFICATE-----/{:start /-----END CERTIFICATE-----/!{N;b start};/.*/p}' bookinfo-proxy-cert.txt > certs.pem
-$ awk 'BEGIN {counter=0;} /BEGIN CERT/{counter++} { print > "proxy-cert-" counter ".pem"}' < certs.pem
-----
-+
-After running the command, you should have three files in your working directory: `proxy-cert-1.pem`, `proxy-cert-2.pem` and `proxy-cert-3.pem`.
-
-. Verify that the root certificate is the same as the one specified by the administrator. Replace `<path>` with the path to your certificates.
-+
-[source,terminal]
-----
-$ openssl x509 -in <path>/root-cert.pem -text -noout > /tmp/root-cert.crt.txt
-----
-+
-Run the following syntax at the terminal window.
-+
-[source,terminal]
-----
-$ openssl x509 -in ./proxy-cert-3.pem -text -noout > /tmp/pod-root-cert.crt.txt
-----
-+
-Compare the certificates by running the following syntax at the terminal window.
-+
-[source,terminal]
-----
-$ diff -s /tmp/root-cert.crt.txt /tmp/pod-root-cert.crt.txt
-----
-+
-You should see the following result:
-`Files /tmp/root-cert.crt.txt and /tmp/pod-root-cert.crt.txt are identical`
-
-
-. Verify that the CA certificate is the same as the one specified by the administrator. Replace `<path>` with the path to your certificates.
-+
-[source,terminal]
-----
-$ openssl x509 -in <path>/ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt
-----
-Run the following syntax at the terminal window.
-+
-[source,terminal]
-----
-$ openssl x509 -in ./proxy-cert-2.pem -text -noout > /tmp/pod-cert-chain-ca.crt.txt
-----
-Compare the certificates by running the following syntax at the terminal window.
-+
-[source,terminal]
-----
-$ diff -s /tmp/ca-cert.crt.txt /tmp/pod-cert-chain-ca.crt.txt
-----
-You should see the following result:
-`Files /tmp/ca-cert.crt.txt and /tmp/pod-cert-chain-ca.crt.txt are identical.`
-
-. Verify the certificate chain from the root certificate to the workload certificate. Replace `<path>` with the path to your certificates.
-+
-[source,terminal]
-----
-$ openssl verify -CAfile <(cat <path>/ca-cert.pem <path>/root-cert.pem) ./proxy-cert-1.pem
-----
-You should see the following result:
-`./proxy-cert-1.pem: OK`
-
-[id="ossm-cert-cleanup_{context}"]
-== Removing the certificates
-
-To remove the certificates you added, follow these steps.
-
-. Remove the secret `cacerts`. In this example, `istio-system` is the name of the {SMProductShortName} control plane project.
-+
-[source,terminal]
-----
-$ oc delete secret cacerts -n istio-system
-----
-+
-. Redeploy {SMProductShortName} with a self-signed root certificate in the `ServiceMeshControlPlane` resource.
-+
-[source,yaml]
-----
-apiVersion: maistra.io/v2
-kind: ServiceMeshControlPlane
-spec:
-  security:
-    dataPlane:
-      mtls: true
-----
diff --git a/service_mesh/v2x/ossm-security.adoc b/service_mesh/v2x/ossm-security.adoc
@@ -31,3 +31,9 @@ include::modules/ossm-security-auth-policy.adoc[leveloffset=+1]
 include::modules/ossm-security-cipher.adoc[leveloffset=+1]
 
 include::modules/ossm-security-cert-manage.adoc[leveloffset=+1]
+
+include::modules/ossm-cert-manage-add-cert-key.adoc[leveloffset=+1]
+
+include::modules/ossm-cert-manage-verify-cert.adoc[leveloffset=+1]
+
+include::modules/ossm-cert-cleanup.adoc[leveloffset=+1]
