k8s-infra
k8s-infra copied to clipboard
snowdrop
Fix OCP HSTS errors
Issue
When we access the ocp console, then we got such a message from google chrome
You cannot visit oauth-openshift.apps.ocp.snowdrop.dev right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
HSTS: https://developer.mozilla.org/en-US/docs/Glossary/HSTS
Temporary workaround is to type thisisunsafe within the google chrome window - https://stackoverflow.com/questions/33268264/chromethe-website-uses-hsts-network-errors-this-page-will-probably-work-late
Dont forget to add the link to the issue/PR to track that from your tasks ;-)
I think that I know how to fix it.
We dont have issues when we access https://console-openshift-console.snowdrop-eu-de-1-bx2-4x16-0c576f1a70d464f092d8591997631748-0000.eu-de.containers.appdomain.cloud/ as their HTTPS certificate has been signed for the domain *.cloud by Let's encrypt - https://letsencrypt.org/certificates/#intermediate-certificates
-----BEGIN CERTIFICATE-----
MIIGRzCCBS+gAwIBAgISBIq2+AqEbznEOBnuHHqEpCBdMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA0MTMwNDEzNDdaFw0yMzA3MTIwNDEzNDZaMEUxQzBBBgNVBAMT
OnNub3dkcm9wLWV1LWRlLTEtYngyLTR4MTYuZXUtZGUuY29udGFpbmVycy5hcHBk
b21haW4uY2xvdWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZTx3I
Pgf1fn6i+oHSh5IwdjBn/BGSWkXXAbMJS+1myHKEczlKfR3xG1Fdetx657SPqHEY
YqAmpISR8aAnQBYFje1Bk7dZ4LkygbMUWw+r994tkHwoioRxCcsGcUwBtog2r5Ta
/MR6pkwipFY4qJ/zN2cIkRXAePy6r9AElSqoWtlfn7SAf/ENC4Ur0c5xwZs5pSPA
6/0oxaEwQvMqyVrhpreH9tpkFQQhoQJTht8EFzRBScua9mxztDvt6jhVSGLjbMBR
aV2Vwy5YEJsgtRhXGlBqTfBzBao8P2YAIg79ISrKmTXsXyJ7/OeGWJ30gSqnxW1K
Kcct/FQ8lkNwpIbXAgMBAAGjggNCMIIDPjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FDhoxA4/oeUxzpSEcqSq4M3e3aFBMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf
r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u
bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMIIB
DwYDVR0RBIIBBjCCAQKCYiouc25vd2Ryb3AtZXUtZGUtMS1ieDItNHgxNi0wYzU3
NmYxYTcwZDQ2NGYwOTJkODU5MTk5NzYzMTc0OC0wMDAwLmV1LWRlLmNvbnRhaW5l
cnMuYXBwZG9tYWluLmNsb3VkgmBzbm93ZHJvcC1ldS1kZS0xLWJ4Mi00eDE2LTBj
NTc2ZjFhNzBkNDY0ZjA5MmQ4NTkxOTk3NjMxNzQ4LTAwMDAuZXUtZGUuY29udGFp
bmVycy5hcHBkb21haW4uY2xvdWSCOnNub3dkcm9wLWV1LWRlLTEtYngyLTR4MTYu
ZXUtZGUuY29udGFpbmVycy5hcHBkb21haW4uY2xvdWQwTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwC3Pvsk35xN
unXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYd5CLg8AAAEAwBIMEYCIQDknrov
P4dsaO9cowbaK+W8qnFXlw2CXWmDqCga4jjvJgIhALDONveWD9P133Lcozni7WIT
Pt22QP4tj8zM7DQw0gzdAHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS
61IAAAGHeQi4TAAABAMARzBFAiEAxpLBPpag94JhLAf52vnYg0ShaQcBrQ5D9dkE
DcDHSCUCIGzt0Y+JaJN+0lvhZtoYLok8jTMJeFWI4tHxTkkGsgoQMA0GCSqGSIb3
DQEBCwUAA4IBAQCCQQ2GI1EkukC1GLUKpRcB2d7a0QrW1eu0qHOmyaH44G1Fii+X
DEUXVe93m9nROyG0ZdFhvxIHVuIylH31Q3UEOE0DtMHT3pYCzg+vs93jIFPXXL1C
1f52mt0TKsGnnPxUzHI0CqWZ4YKIAP+QURLVURQoe5YlvqMC3Mn0mW7tZKdrlnil
GnrXsveCz6oKbAtvoP8bMGWWsltrMjUZHZOB6lOvcQJoocxDZfCdHBoMjL+SugZ5
4DCqWHueRJc7o4Vdxcq3gNuCJ8YrYP7V3hZ4ustjBSPQBdlcBezmSuJ/DuQwCok2
TAMzaIP3LnDk+uYowmfELaIH3q+t7lj7HION
-----END CERTIFICATE-----
instead the certificate generated by the ocp ingress operator for us
-----BEGIN CERTIFICATE-----
MIIDZTCCAk2gAwIBAgIIM5L+uC/xI+YwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE
AwwbaW5ncmVzcy1vcGVyYXRvckAxNjgwMDkzMzc3MB4XDTIzMDMyOTEyMzYxN1oX
DTI1MDMyODEyMzYxOFowIjEgMB4GA1UEAwwXKi5hcHBzLm9jcC5zbm93ZHJvcC5k
ZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrL8TyhxSjXY91I8lD
JmRmjTQddf6kVzD4i8SFUY9Oi+ftYetb8z4sDVz6oq+85AIqDiH4TliqM5PAiL9F
Q33miAdxOoF42S1a0LQpzDs/gt3VTLIls1/IFo4iA1KbnmuNNbDWZ1Ofe+twTwSA
0HEODhCzzsVS6Oz+vUZIwWoY6gQET8XymhoA14Vu6GQPG1SjC6SRat7263A61GNA
82Yt7MsANqkzR88r0FVLpuvGeX/2d2kwmIv1ZTpdAomJTd1o/gcuC2QA7DuAa9b3
Mv+0wUjGTgZUa8+tbshEWlJ+cCQnFemyTooR7cUAw0jjTlhq32JWFQW08jV7EJwl
jS2/AgMBAAGjgZowgZcwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJMlo5jao13Eia1IqeaL+V6pqrsG
MB8GA1UdIwQYMBaAFHHVWLJXMatLkpvA69XC5n2uW0Q5MCIGA1UdEQQbMBmCFyou
YXBwcy5vY3Auc25vd2Ryb3AuZGV2MA0GCSqGSIb3DQEBCwUAA4IBAQCTeuG5pMwg
KcTdc/k3EMDIECX9OHZoNKl/4uVyILMyfOlC2y2qE0vhzpwT949Be4/l/cZHtLmQ
3HnHwbsbS1p4D50/ByrSA50GDQkwd+80yMK14RMzQqv6N/3kX/6k/ss65fZygxTw
Tw2Qk4ITq/p4h/O9rpqqf5PRHkhGkjfQN6iPDXgeImRjUo32BAjypC7cGGqjwo4P
C5KTHHYBth/LBFyvQos/k4IaJ/qS1Ys6eNLR6NFcwy9LgbEadjGB2Gn+r3AbriQq
NYsrp8tvbAdAg0TyngnGcnQfuKXI/rkxYxHPh4e6/kI+hzwZ+YzeP9X/pzZq8ZvP
B9J1OVll7vas
-----END CERTIFICATE-----
So, if we ask to Let's encrypt and Godaddy to sign a Certificate request for *.apps.ocp.snowdrop.dev, that should work.
The next challenge will be to pass such a certificate within the Openstack ocp install config file. Maybe using: https://docs.openshift.com/container-platform/4.13/installing/installing_openstack/installing-openstack-installer-custom.html#installation-osp-describing-cloud-parameters_installing-openstack-installer-custom
WDYT ? @jacobdotcosta
I tested manually this procedure after updating the certificate and issuer role of k8s-infra, collected the updated secret and patched as described here: https://docs.openshift.com/container-platform/4.13/security/certificates/replacing-default-ingress-certificate.html#replacing-default-ingress_replacing-default-ingress
Now, the access to https://console-openshift-console.apps.ocp.snowdrop.dev/dashboards do not generate a HTST error ;-)
oc login is reporting nevertheless an error
oc login --token=sha256~xxxx --server=https://api.ocp.snowdrop.dev:6443
error: x509: “kube-apiserver-lb-signer” certificate is not trusted
FYI: @jacobdotcosta
A part of the problem could be automated if we pass to the openshift installer config file the parameter additionalTrustBundle
See how that works here: https://github.com/openshift/installer/blob/master/docs/user/customization.md#proxy which corresponds to what it is described here: https://docs.openshift.com/container-platform/4.13/security/certificates/replacing-default-ingress-certificate.html#replacing-default-ingress_replacing-default-ingress (create a custom CA secret and patch proxy/cluster)
NOTE: We need of course to populate first and separately the CA crt and keys before to create a cluster !
@jacobdotcosta
I still have an issue using such certificate/issuer
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod-qshift-snowdrop-dev
labels:
app: qshift-ca-cert
namespace: snowdrop-site
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email:
privateKeySecretRef:
name: letsencrypt-prod-snowdrop-dev
solvers:
- dns01:
webhook:
config:
apiKeySecretRef:
name: godaddy-api-key
key: token
production: true
ttl: 600
groupName: acme.mycompany.com
solverName: godaddy
selector:
dnsNames:
- 'api.qshift.snowdrop.dev'
- 'oauth-openshift.apps.qshift.snowdrop.dev'
- 'console-openshift-console.apps.qshift.snowdrop.dev'
- 'grafana-openshift-monitoring.apps.qshift.snowdrop.dev'
- 'prometheus-k8s-openshift-monitoring.apps.qshift.snowdrop.dev'
- 'integrated-oauth-server-openshift-authentication.apps.qshift.snowdrop.dev'
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: qshift-snowdrop-dev
labels:
app: qshift-ca-cert
namespace: snowdrop-site
spec:
renewBefore: 2136h
duration: 2190h
privateKey:
size: 2048
algorithm: RSA
issuerRef:
kind: Issuer
name: letsencrypt-prod-qshift-snowdrop-dev
secretName: qshift-snowdrop-dev-tls
dnsNames:
- 'api.qshift.snowdrop.dev'
- 'oauth-openshift.apps.qshift.snowdrop.dev'
- 'console-openshift-console.apps.qshift.snowdrop.dev'
- 'grafana-openshift-monitoring.apps.qshift.snowdrop.dev'
- 'prometheus-k8s-openshift-monitoring.apps.qshift.snowdrop.dev'
- 'integrated-oauth-server-openshift-authentication.apps.qshift.snowdrop.dev'
Problem fixed after issuing the following certificate
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod-qshift-snowdrop-dev
labels:
app: qshift-ca-cert
namespace: snowdrop-site
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email:
privateKeySecretRef:
name: letsencrypt-prod-snowdrop-dev
solvers:
- dns01:
webhook:
config:
apiKeySecretRef:
name: godaddy-api-key
key: token
production: true
ttl: 600
groupName: acme.mycompany.com
solverName: godaddy
selector:
dnsNames:
- '*.apps.qshift.snowdrop.dev'
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: qshift-snowdrop-dev
labels:
app: qshift-ca-cert
namespace: snowdrop-site
spec:
renewBefore: 2136h
duration: 2190h
privateKey:
size: 2048
algorithm: RSA
issuerRef:
kind: Issuer
name: letsencrypt-prod-qshift-snowdrop-dev
secretName: qshift-snowdrop-dev-tls
dnsNames:
- '*.apps.qshift.snowdrop.dev'
Question from Antonio: To install the new cert manager on the OCP cluster we would still need the one on the snowdrop k8s server right?
Charles's response: No.
It is not needed to centralize everything on a cluster EXCEPT when rotation will take place and when secrets (= ca, tls) are still used.
- So if we don't centralize, that means that we need to find a way to "copy/scp" the secret or rotated secret to the target cluster
- If we install a cert manager / cluster, then it can also manage the rotation and save locally the secret. If the cluster is then removed, no need anymore to rotate the cert as needed by letsencrypt after 3months
@jacobdotcosta