Creating sites using a custom certificate authority on OpenShift

By default, Skupper creates certificates to establish links between sites using mutual TLS. These certificates are stored as secrets in the namespace when you create a site using skupper init. If you want to use your own certificates, you can populate the a set of secrets with the appropriate certificates before creating the site as described in this section. This set of secrets provides Skupper with the configuration required to create a site.

The following certificates are required:

skupper-claims-server

Used for linking sites with claim type tokens.

skupper-console-certs

Used by the Skupper console.

skupper-local-client and skupper-local-server

Used by the Skupper router.

skupper-site-server

Used for all inter-router connections, and for headless services.

skupper-service-client

Used for services exposed over TLS.

Prerequisites

  • Access to an OpenShift cluster with sufficient permission to run skupper init.

  • Access to create certificates using your certificate authority.

Procedure

  1. Create one or more certificates for a site.

    There are several alternative approaches to this step:

    • Reissue an existing certificate with a set of Subject Alternative Names (SANs) for the site.

    • Create a new certificate with a set of SANs for the site.

    • Create a new certificate for each item relating to the site.

    You require a certificate for each of the following secrets:

    • skupper.<namespace>

    • skupper-router.<namespace>

    • skupper-router-local

    • skupper-router-local.<namespace>.svc.cluster.local

    • claims-<namespace>.<clustername>.<domain>

    • skupper-<namespace>.<clustername>.<domain>

    • skupper-edge-<namespace>.<clustername>.<domain>

    • skupper-inter-router-<namespace>.<clustername>.<domain>

    where:

    • <namespace> is the name of the namespace where you want to create a site.

    • <clustername> is the name of the cluster.

    • <domain> is the domain name for the cluster.

    Using a specific certificate authority technology is beyond the scope of this guide. However, the following commands show how to create a certificate authority on Linux and create a single certificate that you can use to populate the secrets.

    1. Create a ca directory and create a certificate authority certificate:

      $ mkdir ca

$ cd ca

$ ssh-keygen -t rsa -m PEM -f tls.key -q -N ""
$ openssl req -x509 -nodes -days 365 -key tls.key -out tls.crt

    2. Given the certificate authority created tls.crt and tls.key files, you can create a certificate for the site as follows:

      $ cd ..
$ mkdir certificate
$ cd certificate

$ openssl req -nodes -newkey rsa:4096 -x509 -CA ../ca/tls.crt -CAkey ../ca/tls.key -out tls.crt -keyout tls.key -addext "subjectAltName = DNS:skupper.<namespace>, DNS:skupper-router.<namespace>, DNS:skupper-router-local, DNS:skupper-router-local.<namespace>.svc.cluster.local,DNS:claims-<namespace>.<clustername>.<domain>, DNS:skupper-<namespace>.<clustername>.<domain>, DNS:skupper-edge-<namespace>.<clustername>.<domain>, DNS:skupper-inter-router-<namespace>.<clustername>.<domain>"

    You should now have a root certificate in the ca directory and another certificate in the certificate directory that you can use with a site.

  2. Create secrets for the site

    1. Change to the parent directory of the certificate directory:

      $ cd ..

    2. Populate the ca related secrets using the certificate from the ca directory:

      $ kubectl create secret tls skupper-site-ca --cert=ca/tls.crt --key=ca/tls.key

$ kubectl create secret tls skupper-service-ca --cert=ca/tls.crt --key=ca/tls.key

$ kubectl create secret tls skupper-local-ca --cert=ca/tls.crt --key=ca/tls.key

    3. Populate the other secrets and modify them into the format required by skupper:

      $ kubectl create secret tls skupper-claims-server --cert=certificate/tls.crt --key=certificate/tls.key

$ kubectl patch secret skupper-claims-server  -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-site-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"


$ kubectl create secret tls skupper-console-certs --cert=certificate/tls.crt --key=certificate/tls.key

$ kubectl patch secret skupper-console-certs  -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-local-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"


$ kubectl create secret tls skupper-local-client --cert=certificate/tls.crt --key=certificate/tls.key

$ kubectl patch secret skupper-local-client  -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-local-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"


$ kubectl create secret tls skupper-local-server --cert=certificate/tls.crt --key=certificate/tls.key

$ kubectl patch secret skupper-local-server  -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-local-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"


$ kubectl create secret tls skupper-site-server --cert=certificate/tls.crt --key=certificate/tls.key

$ kubectl patch secret skupper-site-server  -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-site-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"


$ kubectl create secret tls skupper-service-client --cert=certificate/tls.crt --key=certificate/tls.key

$ kubectl patch secret skupper-service-client  -p="{\"data\":{\"ca.crt\": \"$($ kubectl get secret skupper-service-ca -o json -o=jsonpath="{.data.tls\.crt}")\"}}"

  3. Create the site using the following command:

    $ skupper init

    On OpenShift, skupper defaults to use the route ingress, which is the equivalent of skupper init --ingress route.

    To verify your site, check the status:

    $ skupper status

    You can also verify the OpenShift routes are created using:

    $ oc get routes

    Finally, use the following command to check for errors relating to incorrect certificates:

    $ skupper debug events