$ for I in $(oc get ns -o jsonpath='{range .items[*]} {.metadata.name}{"\n"} {end}'); \ do oc delete pods --all -n $I; \ sleep 1; \ done
Service serving certificates are intended to support complex middleware applications that require encryption. These certificates are issued as TLS web server certificates.
The service-ca
controller uses the x509.SHA256WithRSA
signature
algorithm to generate service certificates.
The generated certificate and key are in PEM format, stored in tls.crt
and tls.key
respectively, within a created secret. The
certificate and key are automatically replaced when they get close to
expiration.
The service CA certificate, which issues the service certificates, is valid for 26 months and is automatically rotated when there is less than six months validity left. After rotation, the previous service CA configuration is still trusted until its expiration. This allows a grace period for all affected services to refresh their key material before the expiration. If you do not upgrade your cluster during this grace period, which restarts services and refreshes their key material, you might need to manually restart services to avoid failures after the previous service CA expires.
You can use the following command to manually restart all Pods in the cluster. Be aware that running this command causes a service interruption, because it deletes every running Pod in every namespace. These Pods will automatically restart after they are deleted. $ for I in $(oc get ns -o jsonpath='{range .items[*]} {.metadata.name}{"\n"} {end}'); \ do oc delete pods --all -n $I; \ sleep 1; \ done |
To secure communication to your service, generate a signed serving certificate and key pair into a secret in the same namespace as the service.
The generated certificate is only valid for the internal service DNS name
|
You must have a service defined.
Annotate the service with service.beta.openshift.io/serving-cert-secret-name
.
$ oc annotate service <service-name> \(1) service.beta.openshift.io/serving-cert-secret-name=<secret-name> (2)
1 | Replace <service-name> with the name of the service to secure. |
2 | <secret-name> will be the name of the generated secret containing the
certificate and key pair. For convenience, it is recommended that this
be the same as <service-name> . |
For instance, use the following command to annotate the service foo
:
$ oc annotate service foo service.beta.openshift.io/serving-cert-secret-name=foo
Examine the service to confirm the annotations are present.
$ oc describe service <service-name> ... Annotations: service.beta.openshift.io/serving-cert-secret-name: <service-name> service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1556850837 ...
After the cluster generates a secret for your service, your PodSpec can mount it, and the Pod will run after it becomes available.
A Pod can access the service CA certificate by mounting a ConfigMap that
is annotated with service.beta.openshift.io/inject-cabundle=true
.
Once annotated, the cluster automatically injects the service CA
certificate into the service-ca.crt
key on the ConfigMap. Access to
this CA certificate allows TLS clients to verify connections to
services using service serving certificates.
After adding this annotation to a ConfigMap all existing data in it is
deleted. It is recommended to use a separate ConfigMap to contain the
|
Annotate the ConfigMap with service.beta.openshift.io/inject-cabundle=true
.
$ oc annotate configmap <configmap-name> \(1) service.beta.openshift.io/inject-cabundle=true
1 | Replace <configmap-name> with the name of the ConfigMap to annotate. |
Explicitly referencing the |
For instance, to annotate the ConfigMap foo
the following command would be
used:
$ oc annotate configmap foo service.beta.openshift.io/inject-cabundle=true
View the ConfigMap to ensure the certificate has been generated. This
appears as a service-ca.crt
in the YAML output.
$ oc get configmap <configmap-name> -o yaml apiVersion: v1 data: service-ca.crt: | -----BEGIN certificate----- ...
You can rotate the service certificate by deleting the associated secret. Deleting the secret results in a new one being automatically created, resulting in a new certificate.
A secret containing the certificate and key pair must have been generated for the service.
Examine the service to determine the secret containing the
certificate. This is found in the serving-cert-secret-name
annotation, as seen below.
$ oc describe service <service-name> ... service.beta.openshift.io/serving-cert-secret-name: <secret> ...
Delete the generated secret for the service. This process will automatically recreate the secret.
$ oc delete secret <secret> (1)
1 | Replace <secret> with the name of the secret from the previous
step. |
Confirm that the certificate has been recreated
by obtaining the new secret and examining the AGE
.
$ oc get secret <service-name> NAME TYPE DATA AGE <service.name> kubernetes.io/tls 2 1s
The service CA is valid for 26 months and is automatically refreshed when there is less than six months validity left.
If necessary, you can manually refresh the service CA by using the following procedure.
A manually-rotated service CA does not maintain trust with the previous service CA. You might experience a temporary service disruption until the Pods in the cluster are restarted, which ensures that Pods are using service serving certificates issued by the new service CA. |
You must be logged in as a cluster admin.
View the expiration date of the current service CA certificate by using the following command.
$ oc get secrets/signing-key -n openshift-service-ca \ -o template='{{index .data "tls.crt"}}' \ | base64 -d \ | openssl x509 -noout -enddate
Manually rotate the service CA. This process generates a new service CA which will be used to sign the new service certificates.
$ oc delete secret/signing-key -n openshift-service-ca
To apply the new certificates to all services, restart all the Pods in your cluster. This command ensures that all services use the updated certificates.
$ for I in $(oc get ns -o jsonpath='{range .items[*]} {.metadata.name}{"\n"} {end}'); \ do oc delete pods --all -n $I; \ sleep 1; \ done
This command will cause a service interruption, as it goes through and deletes every running pod in every namespace. These pods will automatically restart after they are deleted. |