summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSuren A. Chilingaryan <csa@suren.me>2018-11-08 19:05:50 +0100
committerSuren A. Chilingaryan <csa@suren.me>2018-11-08 19:05:50 +0100
commit5d0ecffcf763c757470287b2fab55feabfcc0971 (patch)
treef30f8373047baddc84cde384f87942fb88f49887
parent2c3f1522274c09f7cfdb6309adc0719f05c188e9 (diff)
downloadands-5d0ecffcf763c757470287b2fab55feabfcc0971.tar.gz
ands-5d0ecffcf763c757470287b2fab55feabfcc0971.tar.bz2
ands-5d0ecffcf763c757470287b2fab55feabfcc0971.tar.xz
ands-5d0ecffcf763c757470287b2fab55feabfcc0971.zip
Documentation update
-rw-r--r--docs/webservices.txt39
1 files changed, 38 insertions, 1 deletions
diff --git a/docs/webservices.txt b/docs/webservices.txt
index 8fad471..f535d46 100644
--- a/docs/webservices.txt
+++ b/docs/webservices.txt
@@ -1,3 +1,5 @@
+Architecture
+============
- The users are not directly connected to the services running in OpenShift. There is always
load-balancing HAProxy sitting in between. There is several implications:
* The service will get request from HAProxy IP. I.e. IP-based authentication is not possible
@@ -13,4 +15,39 @@
in the route specification. With 'passthrough' the container is expected to handle certificates itself.
In the edge termination mode, the certificates are configured in the route and HAProxy manages secure
communication with clients and provides unencrypted data to the service in the cluster.
- \ No newline at end of file
+
+
+Updating/Generating certificates for the router
+===============================================
+ - Generating key & csr request
+ openssl genrsa -out kaas.key 4096
+ openssl req -new -key kaas.key -sha256 -nodes -out kaas.csr -config <(
+ cat <<-EOF
+ [ req ]
+ default_bits = 4096
+ req_extensions = req_ext
+ ...
+
+ [ dn ]
+ CN=kaas.kit.edu
+ ...
+
+ [ req_ext ]
+ subjectAltName = @alt_names
+
+ [ alt_names ]
+ DNS.1 = kaas.kit.edu
+ DNS.2 = *.kaas.kit.edu
+ EOF
+ )
+ - Installing
+ * Two files are needed.
+ 1) Secret Key
+ 2) PEM file containing both certificate and secret key. No CA certificate is needed (at least if our
+ certifcate is signed by known CA)
+ * New 'router-certs' secret should be created in 'default' namespace. Probably it is better to
+ modify existing secret than delete/create. However, the strings can't just be copied. Easiest way
+ is to create a new secret in temporary namespace:
+ oc -n test secrets new router-certs tls.crt=kaas.pem tls.key=kaas.key
+ and then copy 'tls.crt' and 'tls.key' values over.
+ * To reload secret, the 'router' pods should be deleted (and automatically re-created by rc).