Skip to content

Bug 2012173: Azure Stack: Add UPI Instructions for internal CA #5573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-robot merged 1 commit into from
Feb 2, 2022
Merged

Bug 2012173: Azure Stack: Add UPI Instructions for internal CA #5573

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions docs/user/azure/install_upi_azurestack.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,11 @@ We'll be providing the compute machines ourselves, so we set compute replicas to

Azure Stack is not supported by the interactive wizard, but you can use public Azure credentials to create an install config with [the usual approach](install.md#create-configuration) and then edit according to the example above.

### Additional Trust Bundle for Internal Certificate Authorities (Optional)

If your Azure Stack environment uses an internal CA, add the necessary certificate bundle in .pem format to the [`additionalTrustBundle`](../customization.md#additional-trust-bundle). You will also need to [update the cluster proxy
manifest][proxy-ca] and [add the CA to the ignition shim][ign-ca] in later steps.

## Credentials

Both Azure and Azure Stack credentials are stored by the installer at `~/.azure/osServicePrincipal.json`. The installer will request the required information if no credentials are found.
Expand Down Expand Up @@ -224,6 +229,24 @@ stringData:
azure_region: <$REGION>
```

### Set Cluster to use the Internal Certificate Authority (Optional)

If your Azure Stack environment uses an internal CA, update `.spec.trustedCA.name` to use `user-ca-bundle` in `./manifests/cluster-proxy-01-config.yaml`:

```shell
$ cat manifests/cluster-proxy-01-config.yaml
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
creationTimestamp: null
name: cluster
spec:
trustedCA:
name: user-ca-bundle
status: {}
```

You will also need to update the ignition shim to include the CA.
## Create ignition configs

Now we can create the bootstrap ignition configs:
Expand Down Expand Up @@ -389,9 +412,28 @@ Copy the [`04_bootstrap.json`](../../../upi/azurestack/04_bootstrap.json) ARM te

Create the deployment using the `az` client:

### Create the Bootstrap Ignition Shim

If your Azure Stack environment uses a public certificate authority, you can create the ignition shim like this:

```sh
export BOOTSTRAP_URL=$(az storage blob url --account-name "${INFRA_ID}sa" --account-key "$ACCOUNT_KEY" -c "files" -n "bootstrap.ign" -o tsv)
export BOOTSTRAP_IGNITION=$(jq -rcnM --arg v "3.2.0" --arg url "$BOOTSTRAP_URL" '{ignition:{version:$v,config:{replace:{source:$url}}}}' | base64 | tr -d '\n')
```

### Create the Bootstrap Ignition Shim with an Internal Certificate Authority (Optional)
Copy link

@mjpytlak mjpytlak Jan 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@patrickdillon Is this step specific to a UPI install? Given that users will not have to create ignition config files for the cluster, I wanted to verify creating the bootstrap ignition shim is not required for IPI.

Copy link
Contributor Author

@patrickdillon patrickdillon Jan 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is indeed specific for UPI. For IPI, we do this in the installer's code.

Copy link

@nastacio nastacio Jan 24, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@patrickdillon The ignition spec says the tls.certificateAuthorities[].source element is a URL. I trust that the example below works, but wondering if it there is a chance this is not supported.

source (string): the URL of the contents to append. Supported schemes are http, https, tftp, s3, gs, and data. When using http, it is advisable to use the verification option to ensure the contents haven’t been modified.

Copy link
Contributor Author

@patrickdillon patrickdillon Jan 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is valid and supported. The example uses a data url: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs


If your Azure Stack environments uses an internal CA, you will need to add the PEM encoded bundle to the bootstrap ignition
shim so that your bootstrap VM will be able to pull the bootstrap ignition from the storage account. Assuming your CA
is in a file called `CA.pem` you can add the bundle to the shim like this:

```sh
export CA="data:text/plain;charset=utf-8;base64,$(cat CA.pem |base64 |tr -d '\n')"
export BOOTSTRAP_URL=$(az storage blob url --account-name "${INFRA_ID}sa" --account-key "$ACCOUNT_KEY" -c "files" -n "bootstrap.ign" -o tsv)
export BOOTSTRAP_IGNITION=$(jq -rcnM --arg v "3.2.0" --arg url "$BOOTSTRAP_URL" --arg cert "$CA" '{ignition:{version:$v,security:{tls:{certificateAuthorities:[{source:$cert}]}},config:{replace:{source:$url}}}}' | base64 | tr -d '\n')
```

### Deploy the Bootstrap VM

az deployment group create --verbose -g "$RESOURCE_GROUP" \
--template-file "04_bootstrap.json" \
Expand Down Expand Up @@ -607,3 +649,5 @@ INFO Login to the console with user: kubeadmin, password: REDACTED
[kubernetes-service-load-balancers-exclude-masters]: https://github.com/kubernetes/kubernetes/issues/65618
[manual-credentials]: https://docs.openshift.com/container-platform/4.8/installing/installing_azure/manually-creating-iam-azure.html
[azure-vhd-utils]: https://github.com/microsoft/azure-vhd-utils
[proxy-ca]: #set-cluster-to-use-the-internal-certificate-authority-optional
[ign-ca]: #create-the-bootstrap-ignition-shim-with-an-internal-certificate-authority-optional