The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.
You do not need to perform the steps in this section if you are using Oracle Linux Cloud Native Environment Release 1.1.8 or lower. The set up steps in this section are for Release 1.1.10 or later.
When you deploy Kubernetes, a service is deployed to the cluster that
controls access to externalIPs
in Kubernetes
services. The service is named
externalip-validation-webhook-service
and runs
in the externalip-validation-system
namespace.
This Kubernetes service requires X.509 certificates be set up
prior to deploying Kubernetes. You can use Vault to generate the
certificates, or use your own certificates for this purpose. You
can also generate certificates using the
gen-certs-helper.sh
script. The certificates
must be available on the operator node. The examples in this book
use the /etc/olcne/configs/certificates/restrict_external_ip/production/
directory for
these certificates.
You can use Vault to generate a certificates for the
externalIPs
Kubernetes service. The Vault
instance must be configured in the same way as described in
Section 3.5.1, “Setting up Vault Authentication”.
You need to generate certificates for two nodes, named:
externalip-validation-webhook-service.externalip-validation-system.svc
externalip-validation-webhook-service.externalip-validation-system.svc.cluster.local
The certificate information should be generated in PEM format.
For example:
vault write olcne_pki_intermediary/issue/olcne \ alt_names=externalip-validation-webhook-service.externalip-validation-system.svc,externalip-validation-webhook-service.externalip-validation-system.svc.cluster.local \ format=pem_bundle
The output is displayed. Look for the section that starts with
certificate
. This section contains the
certificates for the node names (set with the
alt_names
option). Save the output in this
section to a file named node.cert
. The file
should look something like:
-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAymg8uHy+mpwlelCyC4WrnfLwUmJ5vZmSos85QnIlZvyycUPK ... X3c8LNaJDfQx1wKfTc/c0czBhHYxgwfau0G6wjqScZesPi2xY0xyslE= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIID2TCCAsGgAwIBAgIUZ/M/D7bAjhyGx7DivsjBb9oeLhAwDQYJKoZIhvcNAQEL ... 9bRwnen+JrxUn4GV59GtsTiqzY6R2OKPm+zLl8E= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDnDCCAoSgAwIBAgIUMapl4aWnBXE/02qTW0zOZ9aQVGgwDQYJKoZIhvcNAQEL ... kV8w2xVXXAehp7cg0BakVA== -----END CERTIFICATE-----
Look for the section that starts with
issuing_ca
. This section contains the CA
certificate. Save the output in this section to a file named
ca.cert
. The file should look something like:
-----BEGIN CERTIFICATE----- MIIDnDCCAoSgAwIBAgIUMapl4aWnBXE/02qTW0zOZ9aQVGgwDQYJKoZIhvcNAQEL ... kV8w2xVXXAehp7cg0BakVA== -----END CERTIFICATE-----
Look for the section that starts with
private_key
. This section contains the
private key for the node certificates. Save the output in this
section to a file named node.key
. The file
should look something like:
-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAymg8uHy+mpwlelCyC4WrnfLwUmJ5vZmSos85QnIlZvyycUPK ... X3c8LNaJDfQx1wKfTc/c0czBhHYxgwfau0G6wjqScZesPi2xY0xyslE= -----END RSA PRIVATE KEY-----
Copy the three files ( node.cert
,
ca.cert
and node.key
) to
the operator node and set the ownership of the files as
described in Section 3.6.2, “Setting up CA Certificates”.