ocpbugs-8882: configure an addditionl clientca for the openshiftapi server

nalhadef · nalhadef · commit bfc12cb40a01 · 2023-11-13T14:55:35.000-05:00
diff --git a/modules/configure-an-additional-clientCA.adoc b/modules/configure-an-additional-clientCA.adoc
@@ -0,0 +1,35 @@
+// Module included in the following assemblies:
+//
+// * security/certificates/api-server.adoc
+
+:_content-type: PROCEDURE
+[id="configure-an-additional-clientCA-for-the-OpenShift-API-server_{context}"]
+
+= Configure an additional clientCA for the OpenShift API server
+
+Optionally, you may choose to invalidate the installer-generated kubeconfig. You would do this when:
+
+* You don't trust who installed the cluster
+* The kubeconfig is leaked
+* Other security-related needs exist, such as periodic rotation of the kubeconfig
+
+To replace the installer-generated kubeconfig, remove the installer-generated clientCA from the API server
+
+. Import an additional CA certificate in a configmap of the openshift-config namespace. The CA file must be in PEM format.
++
+[source,terminal]
+----
+oc create configmap client-ca-custom -n openshift-config --from-file=ca-bundle.crt=ca.crt
+----
++
+. Patch the APIServer instance.
++
+[source, terminal]
+----
+oc patch apiserver cluster --type=merge -p '{"spec": {"clientCA": {"name": "client-ca-custom"}}}'
+----
+
+. Test the new clientCA certificate with a certificate signed from the new clientCA.
+. If the test is successful, you can remove the installer-generated clientCA.
+
+
diff --git a/modules/customize-certificates-api-add-named.adoc b/modules/customize-certificates-api-add-named.adoc
@@ -22,13 +22,6 @@ certificate for the API server FQDN must be the first certificate in the file.
 It can then be followed with any intermediate certificates, and the file should
 end with the root CA certificate.
 
-[WARNING]
-====
-Do not provide a named certificate for the internal load balancer (host
-name `api-int.<cluster_name>.<base_domain>`). Doing so will leave your
-cluster in a degraded state.
-====
-
 .Procedure
 
 . Login to the new API as the `kubeadmin` user.
diff --git a/modules/replace-the-certificate-authority-clientca.adoc b/modules/replace-the-certificate-authority-clientca.adoc
@@ -0,0 +1,78 @@
+// Module included in the following assemblies:
+//
+// * security/certificates/api-server.adoc
+
+:_content-type: PROCEDURE
+[id="replace-the-certificate-authority_{context}"]
+
+= Replace the installer-generated kubeconfig before replacing it with a newly generated CA certificate
+
+The installer-generated kubeconfig cannot be removed, but it can be invalidated and replaced with a newly generated CA certificate.
+
+You may choose to invalidate the installer-generated kubeconfig, stored in the `admin-kubeconfig-client-ca` configmap under the `openshift-config` namespace, when:
+
+* You don't trust who installed the cluster
+* The kubeconfig is leaked
+* Other security-related needs exist, such as periodic rotation of the kubeconfig
+
+[IMPORTANT]
+====
+To avoid being locked out of the cluster, have an alternative way to login, such as, using an OAuth-authenticated administrator user or using a client certificate signed by an additional client CA.
+====
+
+.Procedure
+
+. Optional: Generate a new self-signed CA, unless an existing corporate or other CA is to be used.
++
+[source,terminal]
+----
+$ export NAME="custom"
+$ export CA_SUBJ="/OU=openshift/CN=admin-kubeconfig-signer-custom"
+
+# set the CA validity to 10 years
+$ export VALIDITY=3650
+
+# generate the CA private key
+$ openssl genrsa -out ${NAME}-ca.key 4096
+
+# Create the CA certificate
+$ openssl req -x509 -new -nodes -key ${NAME}-ca.key -sha256 -days $VALIDITY -out ${NAME}-ca.crt -subj "${CA_SUBJ}"
+----
++
+. Generate a new `system:admin` certificate. The client certificate must have the user into the x.509 subject CN field and the group into the O field.
++
+[source,terminal]
+----
+$ export USER=system:admin
+$ export GROUP=system:masters
+$ export USER_SUBJ="/O=${GROUP}/CN=${USER}"
+
+# create the user CSR
+$ openssl req -nodes -newkey rsa:2048 -keyout ${USER}.key -subj "${USER_SUBJ}" -out ${USER}.csr
+
+# sign the user CSR and generate the certificate, the certificate must have the `clientAuth` extension
+$ openssl x509 -extfile <(printf "extendedKeyUsage = clientAuth") -req -in ${USER}.csr \
+       -CA ${NAME}-ca.crt -CAkey ${NAME}-ca.key -CAcreateserial -out 
+${USER}.crt -days $VALIDITY -sha256
+----    
++
+. Add the new certificate as an additional clientCA.
++
+[source,terminal]
+----
+# create the client-ca ConfigMap"
+$ oc create configmap client-ca-custom -n openshift-config --from-file=ca-bundle.crt=${NAME}-ca.crt
+
+# patch the APIServer
+$ oc patch apiserver cluster --type=merge -p '{"spec": {"clientCA": {"name": "client-ca-custom"}}}'
+----
++
+. Import an additional CA certificate in a configmap of the openshift-config namespace. The CA file must be in PEM format.
++
+[source,terminal]
+----
+$ oc create configmap admin-kubeconfig-client-ca -n openshift-config 
+--from-file=ca-bundle.crt=new-ca.crt \
+  --dry-run -o yaml | oc replace -f -
+----
+
diff --git a/security/certificates/api-server.adoc b/security/certificates/api-server.adoc
@@ -12,3 +12,10 @@ API server's certificate by default. This certificate can be replaced
 by one that is issued by a CA that clients trust.
 
 include::modules/customize-certificates-api-add-named.adoc[leveloffset=+1]
+
+include::modules/configure-an-additional-clientCA.adoc[leveloffset=+1]
+
+include::modules/replace-the-certificate-authority-clientca.adoc[leveloffset=+1]
+
+
+
