diff options
author | Suren A. Chilingaryan <csa@suren.me> | 2018-11-08 19:05:50 +0100 |
---|---|---|
committer | Suren A. Chilingaryan <csa@suren.me> | 2018-11-08 19:05:50 +0100 |
commit | 5d0ecffcf763c757470287b2fab55feabfcc0971 (patch) | |
tree | f30f8373047baddc84cde384f87942fb88f49887 | |
parent | 2c3f1522274c09f7cfdb6309adc0719f05c188e9 (diff) | |
download | ands-5d0ecffcf763c757470287b2fab55feabfcc0971.tar.gz ands-5d0ecffcf763c757470287b2fab55feabfcc0971.tar.bz2 ands-5d0ecffcf763c757470287b2fab55feabfcc0971.tar.xz ands-5d0ecffcf763c757470287b2fab55feabfcc0971.zip |
Documentation update
-rw-r--r-- | docs/webservices.txt | 39 |
1 files changed, 38 insertions, 1 deletions
diff --git a/docs/webservices.txt b/docs/webservices.txt index 8fad471..f535d46 100644 --- a/docs/webservices.txt +++ b/docs/webservices.txt @@ -1,3 +1,5 @@ +Architecture +============ - The users are not directly connected to the services running in OpenShift. There is always load-balancing HAProxy sitting in between. There is several implications: * The service will get request from HAProxy IP. I.e. IP-based authentication is not possible @@ -13,4 +15,39 @@ in the route specification. With 'passthrough' the container is expected to handle certificates itself. In the edge termination mode, the certificates are configured in the route and HAProxy manages secure communication with clients and provides unencrypted data to the service in the cluster. -
\ No newline at end of file + + +Updating/Generating certificates for the router +=============================================== + - Generating key & csr request + openssl genrsa -out kaas.key 4096 + openssl req -new -key kaas.key -sha256 -nodes -out kaas.csr -config <( + cat <<-EOF + [ req ] + default_bits = 4096 + req_extensions = req_ext + ... + + [ dn ] + CN=kaas.kit.edu + ... + + [ req_ext ] + subjectAltName = @alt_names + + [ alt_names ] + DNS.1 = kaas.kit.edu + DNS.2 = *.kaas.kit.edu + EOF + ) + - Installing + * Two files are needed. + 1) Secret Key + 2) PEM file containing both certificate and secret key. No CA certificate is needed (at least if our + certifcate is signed by known CA) + * New 'router-certs' secret should be created in 'default' namespace. Probably it is better to + modify existing secret than delete/create. However, the strings can't just be copied. Easiest way + is to create a new secret in temporary namespace: + oc -n test secrets new router-certs tls.crt=kaas.pem tls.key=kaas.key + and then copy 'tls.crt' and 'tls.key' values over. + * To reload secret, the 'router' pods should be deleted (and automatically re-created by rc). |