Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MKE 4 docs for changing TLS certificates #108

Open
KoryKessel-Mirantis opened this issue Oct 1, 2024 · 0 comments
Open

Add MKE 4 docs for changing TLS certificates #108

KoryKessel-Mirantis opened this issue Oct 1, 2024 · 0 comments
Assignees
@MagdaDziadosz
Labels
Docs-B Should Do

Comments

@KoryKessel-Mirantis
Copy link
Collaborator

We have recently added a feature to MKE 4 that allows users to set their own TLS certificates for UI by changing the certificates of the ingress controller.

The UI part is almost identical to what we had in MKE 3 - https://docs.mirantis.com/mke/3.7/ops/administer-cluster/use-your-own-tls-certificates.html

The only difference is that we removed the Client CA field. Screenshots of the UI can be found here - https://github.com/MirantisContainers/mke-dashboard/pull/255

In addition to the UI, in MKE 4, it is also possible to set TLS certs using CLI and mkectl. This is a new feature compared to MKE 4 where the only way to set certs was via UI.

The steps for setting the certs with mkectl are described in the description of this PR but I’ll put the essential part below:

  1. Create a new TLS cert and key signed by a trusted CA. It must include the external address as well as the IP addresses of all manager nodes in the list of allowed hosts. Assuming the MKE 4 config file is named mke4.yaml, you can get the list of all required hosts by running this command:
HOSTS=$(yq '[(.spec.apiServer.externalAddress, .spec.hosts.[] | select(.role == "controller+worker") | .ssh.address)] | join(" ")' mke4.yaml)
echo $HOSTS
  1. Encode cert material
CA_CERT=$(cat ca.pem | base64 -b0)
SERVER_CERT=$(cat cert.pem | base64 -b0)
SERVER_KEY=$(cat key.pem | base64 -b0)

If you're on Linux, use base64 -w0 instead

  1. Create a secret with the new cert material.
cat <<EOF | envsubst '$CA_CERT $SERVER_CERT $SERVER_KEY' | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: user-provided-ingress-cert  # name can be anything
  namespace: mke  # namespace MUST be mke
data:
  ca.crt: $CA_CERT
  tls.crt: $SERVER_CERT
  tls.key: $SERVER_KEY
EOF
  1. In the config, set the defaultSslCertificate of the ingress controller to the secret name you just created.

yq -i '.spec.ingressController.extraArgs.defaultSslCertificate = "mke/user-provided-ingress-cert"' mke4.yaml

The ingress controller section in the config file should have the following now


> spec:
>   ingressController:
>     extraArgs:
>       defaultSslCertificate: mke/user-provided-ingress-cert
  1. Apply the config

mkectl apply
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MagdaDziadosz MagdaDziadosz

Labels
Docs-B Should Do
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KoryKessel-Mirantis @MagdaDziadosz