mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
133 lines
4.6 KiB
Plaintext
133 lines
4.6 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/cert_manager_operator/cert-manager-operator-proxy.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="zero-trust-manager-proxy-support_{context}"]
|
|
= Injecting a custom CA certificate for the {zero-trust-full}
|
|
|
|
[role="_abstract"]
|
|
Inject certificate authority (CA) certificates into the {zero-trust-full} to support proxying HTTPS connections. This configuration helps ensure that the Identity Manager can communicate securely when you enable a cluster-wide proxy.
|
|
|
|
.Prerequisites
|
|
|
|
* You have access to the cluster as a user with the `cluster-admin` role.
|
|
|
|
* You have enabled the cluster-wide proxy for {product-title}.
|
|
|
|
* You have installed {zero-trust-full} 1.0.0 or later.
|
|
|
|
* You have deployed the SPIRE Server, SPIRE Agent, SPIFFEE CSI Driver, and the SPIRE OIDC Discovery Provider operands in the cluster.
|
|
|
|
.Procedure
|
|
|
|
. Create a config map in the `zero-trust-workload-identity-manager` namespace by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create configmap trusted-ca -n zero-trust-workload-identity-manager
|
|
----
|
|
|
|
. Inject the CA bundle that is trusted by {product-title} into the config map by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true -n zero-trust-workload-identity-manager
|
|
----
|
|
|
|
. Update the subscription for the {zero-trust-full} to use the config map by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc -n zero-trust-workload-identity-manager patch subscription openshift-zero-trust-workload-identity-manager --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_BUNDLE_CONFIGMAP","value":"trusted-ca"}]}}}'
|
|
----
|
|
|
|
.Verification
|
|
|
|
. Verify that the operands have finished rolling out by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc rollout status deployment/zero-trust-workload-identity-manager-controller-manager -n zero-trust-workload-identity-manager && \
|
|
$ oc rollout status statefulset/spireserver -n zero-trust-workload-identity-manager && \
|
|
$ oc rollout status daemonset/spire-agent -n zero-trust-workload-identity-manager && \
|
|
$ oc rollout status deployment/spire-spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
deployment "zero-trust-workload-identity-manager-controller-manager" successfully rolled out
|
|
statefulset "spire-server" successfully rolled out
|
|
daemonset "spire-agent" successfully rolled out
|
|
deployment "spire-spiffe-oidc-discovery-provider" successfully rolled out
|
|
----
|
|
|
|
. Verify that the CA bundle was mounted as a volume by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get deployment zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager -o=jsonpath={.spec.template.spec.'containers[0].volumeMounts'}
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get statefulset spire-server -n zero-trust-workload-identity-manager -o jsonpath='{.spec.template.spec.containers[*].volumeMounts[?(@.name=="trusted-ca-bundle")]}'
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get daemonset spire-agent -n zero-trust-workload-identity-manager -o jsonpath='{.spec.template.spec.containers[*].volumeMounts[?(@.name=="trusted-ca-bundle")]}'
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get daemonset spire-spiffe-csi-driver -n zero-trust-workload-identity-manager -o jsonpath='{.spec.template.spec.containers[*].volumeMounts[?(@.name=="trusted-ca-bundle")]}'
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
[{{"mountPath":"/etc/pki/ca-trust/extracted/pem","name":"trusted-ca-bundle","readOnly":true}]
|
|
----
|
|
|
|
. Verify that the source of the CA bundle is the `trusted-ca` config map by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get deployment zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager -o=jsonpath={.spec.template.spec.volumes}
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get statefulset spire-server -n zero-trust-workload-identity-manager -o=jsonpath='{.spec.template.spec.volumes}' | jq '.[] | select(.name=="trusted-ca-bundle")'
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get daemonset spire-agent -n zero-trust-workload-identity-manager -o=jsonpath='{.spec.template.spec.volumes}' | jq '.[] | select(.name=="trusted-ca-bundle")'
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get deployment spire-spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager -o=jsonpath='{.spec.template.spec.volumes}' | jq '.[] | select(.name=="trusted-ca-bundle")'
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
{
|
|
"configMap": {
|
|
"defaultMode": 420,
|
|
"items": [
|
|
{
|
|
"key": "ca-bundle.crt",
|
|
"path": "tls-ca-bundle.pem"
|
|
}
|
|
],
|
|
"name": "trusted-ca"
|
|
},
|
|
"name": "trusted-ca-bundle"
|
|
}
|
|
----
|