Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix documentation about install and renew your own CA certificates #6240

Merged
merged 15 commits into from
Jan 27, 2022
2 changes: 2 additions & 0 deletions documentation/assemblies/security/assembly-security.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ include::modules/proc-replacing-private-keys.adoc[leveloffset=+2]

include::modules/proc-renewing-your-own-ca-certificates.adoc[leveloffset=+2]

include::modules/proc-replacing-your-own-private-keys.adoc[leveloffset=+2]

include::modules/con-tls-connections.adoc[leveloffset=+1]

include::modules/proc-configuring-internal-clients-to-trust-cluster-ca.adoc[leveloffset=+1]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,24 @@ kubectl label secret _CA-KEY-SECRET_ strimzi.io/kind=Kafka strimzi.io/cluster=_C
* Label `strimzi.io/kind=Kafka` identifies the Kafka custom resource.
* Label `strimzi.io/cluster=_CLUSTER-NAME_` identifies the Kafka cluster.

. Annotate the secrets
+
[source,shell,subs="+quotes"]
----
kubectl annotate secret _CA-CERTIFICATE-SECRET_ strimzi.io/ca-cert-generation=_CA-CERTIFICATE-GENERATION_
----
+
[source,shell,subs="+quotes"]
----
kubectl annotate secret _CA-KEY-SECRET_ strimzi.io/ca-key-generation=_CA-KEY-GENERATION_
----
+
* Annotation `strimzi.io/ca-cert-generation=_CA-CERTIFICATE-GENERATION_` defines the generation of a new CA certificate.
* Annotation `strimzi.io/ca-key-generation=_CA-KEY-GENERATION_` defines the generation of a new CA key.
+
If you are replacing CA certificates automatically generated by the Cluster Operator, use the next higher incremental value from the existing annotation and follow the xref:proc-replacing-your-own-private-keys-{context}[replacing CA keys procedure].
If there are no CA certificates automatically generated by the Cluster Operator, start from 0 (zero) as the incremental value (`strimzi.io/ca-cert-generation=0`) for your own CA certificate. Set a higher incremental value when you renew the certificates.

. Create the `Kafka` resource for your cluster, configuring either the `Kafka.spec.clusterCa` or the `Kafka.spec.clientsCa` object to _not_ use generated CAs.
+
.Example fragment `Kafka` resource configuring the cluster CA to use certificates you supply for yourself
Expand All @@ -139,4 +157,5 @@ spec:
.Additional resources

* To renew CA certificates you have previously installed, see xref:renewing-your-own-ca-certificates-{context}[].
* To replace the private keys of CA certificates you have previously installed, see xref:proc-replacing-your-own-private-keys-{context}[].
* xref:proc-installing-certs-per-listener-{context}[].
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,11 @@
[id='renewing-your-own-ca-certificates-{context}']
= Renewing your own CA certificates

This procedure describes how to renew CA certificates and keys you installed yourself, instead of using the certificates generated by the Cluster Operator.
[role="_abstract"]
This procedure describes how to renew CA certificates that you are using instead of the certificates generated by the Cluster Operator.

*Perform the steps in this procedure when you are not also changing the corresponding CA keys.
Otherwise, perform the steps to xref:proc-replacing-your-own-private-keys-{context}[replace private keys used by your own CA certificates].*

If you are using your own certificates, the Cluster Operator will not renew them automatically.
Therefore, it is important that you follow this procedure during the renewal period of the certificate in order to replace CA certificates that will soon expire.
Expand All @@ -16,92 +20,83 @@ The procedure describes the renewal of CA certificates in PEM format.

* The Cluster Operator is running.
* xref:installing-your-own-ca-certificates-{context}[Your own CA certificates and private keys are installed].
* You have new cluster and clients X.509 certificates and keys in PEM format.

These could be generated using an `openssl` command, such as:

[source,shell,subs="+quotes"]
openssl req -x509 -new -days _NUMBER-OF-DAYS-VALID_ --nodes -out ca.crt -keyout ca.key
* You have new cluster or client X.509 certificates in PEM format.
ppatierno marked this conversation as resolved.
Show resolved Hide resolved

.Procedure

. Check the details of the current CA certificates in the `Secret`:
+
[source,shell,subs="+quotes"]
kubectl describe secret _CA-CERTIFICATE-SECRET_
+
_CA-CERTIFICATE-SECRET_ is the name of the `Secret`, which is `_KAFKA-CLUSTER-NAME_-cluster-ca-cert` for the cluster CA certificate and `_KAFKA-CLUSTER-NAME_-clients-ca-cert` for the clients CA certificate.

. Create a directory to contain the existing CA certificates in the secret.
. Update the `Secret` for the CA certificate.
+
[source,shell,subs="+quotes"]
----
mkdir new-ca-cert-secret
cd new-ca-cert-secret
----

. Fetch the secret for each CA certificate you wish to renew:
Edit the existing secret to add the new CA certificate and update the certificate generation annotation value.
+
[source,shell,subs="+quotes"]
kubectl get secret _CA-CERTIFICATE-SECRET_ -o 'jsonpath={.data._CA-CERTIFICATE_}' | base64 -d > _CA-CERTIFICATE_
kubectl edit secret _<ca_certificate_secret_name>_
+
Replace _CA-CERTIFICATE_ with the name of each CA certificate.

. Rename the old `ca.crt` file as `ca-__DATE__.crt`,
where _DATE_ is the certificate expiry date in the format _YEAR-MONTH-DAYTHOUR-MINUTE-SECONDZ_.
_<ca_certificate_secret_name>_ is the name of the `Secret`, which is `_<kafka_cluster_name>_-cluster-ca-cert` for the cluster CA certificate and `_<kafka_cluster_name>_-clients-ca-cert` for the clients CA certificate.
+
For example `ca-2018-09-27T17-32-00Z.crt`.
The following example shows a secret for a cluster CA certificate that's associated with a Kafka cluster named `my-cluster`.
+
[source,shell,subs="+quotes"]
mv ca.crt ca-$(date -u -d"$(openssl x509 -enddate -noout -in ca.crt | sed 's/.*=//')" +'%Y-%m-%dT%H-%M-%SZ').crt
.Example secret configuration for a cluster CA certificate
[source,yaml,subs=attributes+]
----
apiVersion: v1
kind: Secret
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0F... <1>
metadata:
annotations:
strimzi.io/ca-cert-generation: "0" <2>
labels:
strimzi.io/cluster: my-cluster
strimzi.io/kind: Kafka
name: my-cluster-cluster-ca-cert
#...
type: Opaque
----
<1> Current base64-encoded CA certificate
<2> Current CA certificate generation annotation value

. Copy your new CA certificate into the directory, naming it `ca.crt`:
. Encode your new CA certificate into base64.
+
[source,shell,subs="+quotes"]
cp _PATH-TO-NEW-CERTIFICATE_ ca.crt
cat _<path_to_new_certificate>_ | base64

. Put your CA certificate in the corresponding `Secret`.
. Update the CA certificate.
+
.. Delete the existing secret:
Copy the base64-encoded CA certificate from the previous step as the value for the `ca.crt` property under `data`.
+
[source,shell,subs="+quotes"]
kubectl delete secret _CA-CERTIFICATE-SECRET_
+
_CA-CERTIFICATE-SECRET_ is the name of the `Secret`, as returned in the first step.
. Increase the value of the CA certificate generation annotation.
+
Ignore any "Not Exists" errors.

.. Recreate the secret:
Update the `strimzi.io/ca-cert-generation` annotation with a higher incremental value.
For example, change `strimzi.io/ca-cert-generation=0` to `strimzi.io/ca-cert-generation=1`.
If the `Secret` is missing the annotation, the value is treated as `0`, so change the value to `1`.
ppatierno marked this conversation as resolved.
Show resolved Hide resolved
+
[source,shell,subs="+quotes"]
kubectl create secret generic _CA-CERTIFICATE-SECRET_ --from-file=.
When Strimzi generates certificates, the certificate generation annotation is automatically incremented by the Cluster Operator.
For manual renewal of your own CA certificates, set the annotations with a higher incremental value.
The annotation needs a higher value than the one from the current secret so that the Cluster Operator can roll the pods and update the certificates.
The `strimzi.io/ca-cert-generation` has to be incremented on each CA certificate renewal.

. Delete the directory you created:
. Save the secret with the new CA certificate and certificate generation annotation value.
+
[source,shell,subs="+quotes"]
.Example secret configuration updated with a new CA certificate
[source,yaml,subs=attributes+]
----
cd ..
rm -r new-ca-cert-secret
apiVersion: v1
kind: Secret
data:
ca.crt: GCa6LS3RTHeKFiFDGBOUDYFAZ0F... <1>
metadata:
annotations:
strimzi.io/ca-cert-generation: "1" <2>
labels:
strimzi.io/cluster: my-cluster
strimzi.io/kind: Kafka
name: my-cluster-cluster-ca-cert
#...
type: Opaque
----
<1> New base64-encoded CA certificate
<2> New CA certificate generation annotation value

. Put your CA key in the corresponding `Secret`.

.. Delete the existing secret:
+
[source,shell,subs="+quotes"]
kubectl delete secret _CA-KEY-SECRET_
+
_CA-KEY-SECRET_ is the name of CA key, which is `_KAFKA-CLUSTER-NAME_-cluster-ca` for the cluster CA key and `_KAFKA-CLUSTER-NAME_-clients-ca` for the clients CA key.

.. Recreate the secret with the new CA key:
+
[source,shell,subs="+quotes"]
kubectl create secret generic _CA-KEY-SECRET_ --from-file=ca.key=_CA-KEY-SECRET-FILENAME_
On the next reconciliation, the Cluster Operator performs a rolling update of ZooKeeper, Kafka, and other components to trust the new CA certificate.

. Label the secrets with the labels `strimzi.io/kind=Kafka` and `strimzi.io/cluster=_KAFKA-CLUSTER-NAME_`:
+
[source,shell,subs="+quotes"]
----
kubectl label secret _CA-CERTIFICATE-SECRET_ strimzi.io/kind=Kafka strimzi.io/cluster=_KAFKA-CLUSTER-NAME_
kubectl label secret _CA-KEY-SECRET_ strimzi.io/kind=Kafka strimzi.io/cluster=_KAFKA-CLUSTER-NAME_
----
If maintenance time windows are configured, the Cluster Operator will roll the pods at the first reconciliation within the next maintenance time window.
Loading