-----BEGIN CERTIFICATE-----
MIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
...
l4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
-----END CERTIFICATE-----
Learn how to use a custom TLS certificate with Red Hat Advanced Cluster Security for Kubernetes. After you set up a certificate, users and API clients do not have to bypass the certificate security warnings when connecting to Central.
You can apply a security certificate during the installation or on an existing Red Hat Advanced Cluster Security for Kubernetes deployment.
You must already have PEM-encoded private key and certificate files.
The certificate file should begin and end with human-readable blocks. For example:
-----BEGIN CERTIFICATE-----
MIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
...
l4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
-----END CERTIFICATE-----
The certificate file can contain either a single (leaf) certificate, or a certificate chain.
|
If you are using a custom certificate that is not globally trusted, you must also configure the Sensor to trust your custom certificate.
If you are installing Red Hat Advanced Cluster Security for Kubernetes using Helm:
Add your custom certificate and its key in the values-private.yaml
file:
central:
# Configure a default TLS certificate (public cert + private key) for central
defaultTLS:
cert: |
-----BEGIN CERTIFICATE-----
MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
...
-----END CERTIFICATE-----
key: |
-----BEGIN EC PRIVATE KEY-----
MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
...
-----END EC PRIVATE KEY-----
Provide the configuration file during the installation:
$ helm install -n stackrox --create-namespace stackrox-central-services rhacs/central-services -f values-private.yaml
If you are installing Red Hat Advanced Cluster Security for Kubernetes using the roxctl
CLI, provide the certificate and key files when you run the installer:
For the non-interactive installer, use the --default-tls-cert
and --default-tls-key
options:
$ roxctl central generate --default-tls-cert "cert.pem" --default-tls-key "key.pem"
For the interactive installer, provide the certificate and key files when you enter answers for the prompts:
...
Enter PEM cert bundle file (optional): <cert.pem>
Enter PEM private key file (optional): <key.pem>
Enter administrator password (default: autogenerated):
Enter orchestrator (k8s, openshift): openshift
...
If you have installed Red Hat Advanced Cluster Security for Kubernetes using Helm:
Add your custom certificate and its key in the values-private.yaml
file:
central:
# Configure a default TLS certificate (public cert + private key) for central
defaultTLS:
cert: |
-----BEGIN CERTIFICATE-----
MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
...
-----END CERTIFICATE-----
key: |
-----BEGIN EC PRIVATE KEY-----
MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
...
-----END EC PRIVATE KEY-----
Use the helm upgrade
command and provide the updated configuration file:
$ helm upgrade -n stackrox --create-namespace stackrox-central-services rhacs/central-services -f values-private.yaml
If you have installed Red Hat Advanced Cluster Security for Kubernetes using the roxctl
CLI:
Create and apply a TLS secret from the PEM-encoded key and certificate files:
$ oc -n stackrox create secret tls central-default-tls-cert \
--cert <server_cert.pem> \
--key <server_key.pem> \
--dry-run -o yaml | oc apply -f -
After you run this command, Central automatically applies the new key and certificate without requiring the pod to be restarted. It might take up to a minute to propagate the changes.
If you use a custom certificate for Central, you can update the certificate by performing the following procedure.
Delete the existing custom certificate’s secret:
$ oc delete secret central-default-tls-cert
Create a new secret:
$ oc -n stackrox create secret tls central-default-tls-cert \
--cert <server_cert.pem> \
--key <server_key.pem> \
--dry-run -o yaml | oc apply -f -
Restart the Central container.
You can restart the Central container by killing the Central container or by deleting the Central pod.
Run the following command to kill the Central container:
You must wait for at least 1 minute, until OpenShift Container Platform propagates your changes and restarts the Central container. |
$ oc -n stackrox exec deploy/central -c central -- kill 1
Or, run the following command to delete the Central pod:
$ oc -n stackrox delete pod -lapp=central
If you are using a custom certificate that is not trusted globally, you must configure the Sensor to trust your custom certificate.
Otherwise, you might get errors.
The specific type of error may vary based on your setup and the certificate you use.
Usually, it is an x509 validation
related error.
You do not need to configure the Sensor to trust your custom certificate if you are using a globally trusted certificate. |
The Sensor bundle includes the necessary configuration files and scripts to install Sensor. You can download the Sensor bundle from the RHACS portal.
Navigate to the RHACS portal.
Go to Platform Configuration → Clusters.
Click New Cluster and specify a name for the cluster.
If you are deploying the Sensor in the same cluster, accept the default values for all the fields.
Otherwise, if you are deploying into a different cluster, replace the address central.stackrox.svc:443
with a load balancer, node port, or other address (including the port number) that is accessible from the other cluster in which you are planning to install.
If you are using a non-gRPC capable load balancer, such as haproxy, AWS Application Load Balancer (ALB), or AWS Elastic Load Balancing (ELB) use the WebSocket Secure (
|
Click Next to continue.
Click Download YAML File and Keys.
You have downloaded the Sensor bundle.
If you are using the sensor.sh
script:
Unzip the Sensor bundle:
$ unzip -d sensor sensor-<cluster_name>.zip
Run the sensor.sh
script:
$ ./sensor/sensor.sh
The certificates are automatically applied when you run the sensor (./sensor/sensor.sh
) script.
You can also place additional custom certificates in the sensor/additional-cas/
directory before you run the sensor.sh
script.
If you are not using the sensor.sh
script:
Unzip the Sensor bundle:
$ unzip -d sensor sensor-<cluster_name>.zip
Run the following command to create the secret:
$ ./sensor/ca-setup-sensor.sh -d sensor/additional-cas/ (1)
1 | Use the -d option to specify a directory containing custom certificates. |
If you get the "secret already exists" error message, re-run the script with the
|
Continue Sensor deployment by using the YAML files.
You have downloaded the Sensor bundle.
Unzip the Sensor bundle:
$ unzip -d sensor sensor-<cluster_name>.zip
Run the following command to create the secret:
$ ./sensor/ca-setup-sensor.sh -d sensor/additional-cas/ (1)
1 | Use the -d option to specify a directory containing custom certificates. |
If you get the "secret already exists" error message, re-run the script with the
|
Continue Sensor deployment by using the YAML files.
If you added the certificates to an existing sensor, you must restart the Sensor container.
You can restart the Sensor container either by killing the container or by deleting the Sensor pod.
Run the following command to kill the Sensor container:
You must wait for at least 1 minute, until OpenShift Container Platform or Kubernetes propagates your changes and restarts the Sensor container. |
On OpenShift Container Platform:
$ oc -n stackrox deploy/sensor -c sensor -- kill 1
On Kubernetes:
$ kubectl -n stackrox deploy/sensor -c sensor -- kill 1
Or, run the following command to delete the Sensor pod:
On OpenShift Container Platform:
$ oc -n stackrox delete pod -lapp=sensor
On Kubernetes:
$ kubectl -n stackrox delete pod -lapp=sensor