mirrors/node-feature-discovery
mirrors/node-feature-discovery
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/node-feature-discovery.git synced 2025-03-09 10:17:04 +00:00
Code Activity
node-feature-discovery/master/deployment/tls.html

81 lines
26 KiB
HTML
Raw Normal View History

Update documentation for master Auto-generated from v0.15.0-devel-155-g946bff22 by 'update-gh-pages.sh'
2023-12-01 14:18:02 +00:00
<!DOCTYPE html> <html lang="en" dir="auto"> <head><meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=5, user-scalable=no"> <meta name="description" content="Communication security with TLS Table of contents Automated TLS certificate management using cert-manager Manual TLS certificate management DEPRECA..."> <meta name="revised" content=""> <meta name="author" content="Kubernetes SIGs"> <meta name="generator" content="rundocs/jekyll-rtd-theme v2.0.10"><meta name="theme-color" content="#2980b9"> <title>TLS authentication · Node Feature Discovery</title> <meta name="twitter:title" content="TLS authentication · Node Feature Discovery"> <meta name="twitter:description" content="Communication security with TLS Table of contents Automated TLS certificate management using cert-manager Manual TLS certificate management DEPRECA..."> <meta name="twitter:card" content="summary"> <meta name="twitter:site" content="@Kubernetes SIGs"> <meta name="twitter:url" content="https://kubernetes-sigs.github.com/node-feature-discovery/master/deployment/tls.html"> <meta name="twitter:creator" content="@rundocs/jekyll-rtd-theme v2.0.10"> <meta property="og:title" content="TLS authentication · Node Feature Discovery"> <meta property="og:description" content="Communication security with TLS Table of contents Automated TLS certificate management using cert-manager Manual TLS certificate management DEPRECA..."> <meta property="og:locale" content="en"> <meta property="og:url" content="https://kubernetes-sigs.github.com/node-feature-discovery/master/deployment/tls.html"> <meta property="og:type" content="article"> <meta property="article:author" content="Kubernetes SIGs"> <meta property="article:published_time" content="2016-07-23T05:07:52+00:00"> <meta property="article:modified_time" content="2023-12-01T14:17:54+00:00"> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "Article", "mainEntityOfPage": { "@type": "WebPage", "@id": "https://kubernetes-sigs.github.com/node-feature-discovery/master/deployment/tls.html" }, "headline": "TLS authentication · Node Feature Discovery", "image": [], "author": { "@type": "Person", "name": "Kubernetes SIGs" }, "datePublished": "2016-07-23T05:07:52+00:00", "dateModified": "2023-12-01T14:17:54+00:00", "publisher": { "@type": "Organization", "name": "Kubernetes SIGs", "logo": { "@type": "ImageObject", "url": "https://avatars.githubusercontent.com/u/36015203?v=4" } }, "description": "Communication security with TLS Table of contents Automated TLS certificate management using cert-manager Manual TLS certificate management DEPRECA..." } </script> <link rel="dns-prefetch" href="https://cdn.jsdelivr.net"><link rel="prev" href="https://kubernetes-sigs.github.com/node-feature-discovery/master/deployment/operator.html"><link rel="next" href="https://kubernetes-sigs.github.com/node-feature-discovery/master/deployment/uninstallation.html"><link rel="canonical" href="https://kubernetes-sigs.github.com/node-feature-discovery/master/deployment/tls.html"><link rel="icon" type="image/svg+xml" href="/node-feature-discovery/master/assets/images/favicon.svg"><link rel="icon" type="image/png" href="/node-feature-discovery/master/assets/images/favicon-16x16.png" sizes="16x16"> <link rel="icon" type="image/png" href="/node-feature-discovery/master/assets/images/favicon-32x32.png" sizes="32x32"> <link rel="icon" type="image/png" href="/node-feature-discovery/master/assets/images/favicon-96x96.png" sizes="96x96"><link rel="mask-icon" href="/node-feature-discovery/master/assets/images/favicon.svg" color="#2980b9"><link rel="apple-touch-icon" href="/node-feature-discovery/master/assets/images/apple-touch-icon-300x300.jpg"> <link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/rundocs/jekyll-rtd-theme@2.0.10/assets/css/theme.min.css"><style>@media (min-width: 1280px){.content-wrap{max-width:1200px}}</style><script> window.ui = { title: "Node Feature Discovery", baseurl: "/node-feature-discovery/master", i18n: { search_results: "Search Results", search_
</code></pre> </div></div> <p>Alternatively, you can refer to cert-manager documentation for other installation methods such as the Helm chart they provide.</p> <p>To use the kustomize overlay to install node-feature-discovery with TLS enabled, you may use the following:</p> <div class="language-bash highlighter-rouge notranslate"><div class="highlight"><pre class="highlight"><code>kubectl apply <span class="nt">-k</span> deployment/overlays/samples/cert-manager
Update documentation for master Auto-generated from v0.13.0-devel-39-g2bbdbf1b by 'update-gh-pages.sh'
2023-01-17 08:38:12 +00:00
</code></pre> </div></div> <p>To make use of the helm chart, override <code class="language-plaintext highlighter-rouge notranslate">values.yaml</code> to enable both the <code class="language-plaintext highlighter-rouge notranslate">tls.enabled</code> and <code class="language-plaintext highlighter-rouge notranslate">tls.certManager</code> options. Note that if you do not enable <code class="language-plaintext highlighter-rouge notranslate">tls.certManager</code>, helm will successfully install the application, but deployment will wait until certificates are manually created, as demonstrated below.</p> <p>See the sample installation commands in the Helm <a href="/node-feature-discovery/master/deployment/helm.html#deployment">Deployment</a> and <a href="/node-feature-discovery/master/deployment/helm.html#configuration">Configuration</a> sections above for how to either override individual values, or provide a yaml file with which to override default values.</p> <h2 id="manual-tls-certificate-management">Manual TLS certificate management</h2> <p>If you do not with to make use of cert-manager, the certificates can be manually created and stored as secrets within the NFD namespace.</p> <p>Create a CA certificate</p> <div class="language-bash highlighter-rouge notranslate"><div class="highlight"><pre class="highlight"><code>openssl req <span class="nt">-x509</span> <span class="nt">-newkey</span> rsa:4096 <span class="nt">-keyout</span> ca.key <span class="nt">-nodes</span> <span class="se">\</span>
Update documentation for master Auto-generated from v0.12.0-devel-195-gc1c23507 by 'update-gh-pages.sh'
2022-11-03 08:44:00 +00:00
<span class="nt">-subj</span> <span class="s2">"/CN=nfd-ca"</span> <span class="nt">-days</span> 10000 <span class="nt">-out</span> ca.crt
</code></pre> </div></div> <p>Create a common openssl config file.</p> <div class="language-bash highlighter-rouge notranslate"><div class="highlight"><pre class="highlight"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> &gt; nfd-common.conf
[ req ]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = XX
ST = some-state
L = some-city
O = some-company
OU = node-feature-discovery
[ req_ext ]
subjectAltName = @alt_names
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
</span><span class="no">EOF
</span></code></pre> </div></div> <p>Now, create the nfd-master certificate.</p> <div class="language-bash highlighter-rouge notranslate"><div class="highlight"><pre class="highlight"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> &gt; nfd-master.conf
.include nfd-common.conf
[ dn ]
CN = nfd-master
[ alt_names ]
DNS.1 = nfd-master
DNS.2 = nfd-master.node-feature-discovery.svc.cluster.local
DNS.3 = localhost
</span><span class="no">EOF
</span>openssl req <span class="nt">-new</span> <span class="nt">-newkey</span> rsa:4096 <span class="nt">-keyout</span> nfd-master.key <span class="nt">-nodes</span> <span class="nt">-out</span> nfd-master.csr <span class="nt">-config</span> nfd-master.conf
</code></pre> </div></div> <p>Create certificates for nfd-worker and nfd-topology-updater</p> <div class="language-bash highlighter-rouge notranslate"><div class="highlight"><pre class="highlight"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> &gt; nfd-worker.conf
.include nfd-common.conf
[ dn ]
CN = nfd-worker
[ alt_names ]
DNS.1 = nfd-worker
DNS.2 = nfd-worker.node-feature-discovery.svc.cluster.local
</span><span class="no">EOF
</span><span class="c"># Config for topology updater is identical except for the DN and alt_names</span>
<span class="nb">sed</span> <span class="nt">-e</span> <span class="s1">'s/worker/topology-updater/g'</span> &lt; nfd-worker.conf <span class="o">&gt;</span> nfd-topology-updater.conf
openssl req <span class="nt">-new</span> <span class="nt">-newkey</span> rsa:4096 <span class="nt">-keyout</span> nfd-worker.key <span class="nt">-nodes</span> <span class="nt">-out</span> nfd-worker.csr <span class="nt">-config</span> nfd-worker.conf
openssl req <span class="nt">-new</span> <span class="nt">-newkey</span> rsa:4096 <span class="nt">-keyout</span> nfd-topology-updater.key <span class="nt">-nodes</span> <span class="nt">-out</span> nfd-topology-updater.csr <span class="nt">-config</span> nfd-topology-updater.conf
</code></pre> </div></div> <p>Now, sign the certificates with the CA created earlier.</p> <div class="language-bash highlighter-rouge notranslate"><div class="highlight"><pre class="highlight"><code><span class="k">for </span>cert <span class="k">in </span>nfd-master nfd-worker nfd-topology-updater<span class="p">;</span> <span class="k">do
</span><span class="nb">echo </span>signing <span class="nv">$cert</span>
openssl x509 <span class="nt">-req</span> <span class="nt">-in</span> <span class="nv">$cert</span>.csr <span class="nt">-CA</span> ca.crt <span class="nt">-CAkey</span> ca.key <span class="se">\</span>
<span class="nt">-CAcreateserial</span> <span class="nt">-out</span> <span class="nv">$cert</span>.crt <span class="nt">-days</span> 10000 <span class="se">\</span>
<span class="nt">-extensions</span> v3_ext <span class="nt">-extfile</span> <span class="nv">$cert</span>.conf
<span class="k">done</span>
</code></pre> </div></div> <p>Finally, turn these certificates into secrets.</p> <div class="language-bash highlighter-rouge notranslate"><div class="highlight"><pre class="highlight"><code><span class="k">for </span>cert <span class="k">in </span>nfd-master nfd-worker nfd-topology-updater<span class="p">;</span> <span class="k">do
</span><span class="nb">echo </span>creating secret <span class="k">for</span> <span class="nv">$cert</span> <span class="k">in </span>node-feature-discovery namespace
<span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | kubectl create -n node-feature-discovery -f -
---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: </span><span class="k">${</span><span class="nv">cert</span><span class="k">}</span><span class="sh">-cert
data:
ca.crt: </span><span class="si">$(</span> <span class="nb">cat </span>ca.crt | <span class="nb">base64</span> <span class="nt">-w</span> 0 <span class="si">)</span><span class="sh">
tls.crt: </span><span class="si">$(</span> <span class="nb">cat</span> <span class="nv">$cert</span>.crt | <span class="nb">base64</span> <span class="nt">-w</span> 0 <span class="si">)</span><span class="sh">
tls.key: </span><span class="si">$(</span> <span class="nb">cat</span> <span class="nv">$cert</span>.key | <span class="nb">base64</span> <span class="nt">-w</span> 0 <span class="si">)</span><span class="sh">
</span><span class="no">EOF
</span><span class="k">done</span>
Update documentation for master Auto-generated from v0.15.0-devel-155-g946bff22 by 'update-gh-pages.sh'
2023-12-01 14:18:02 +00:00
</code></pre> </div></div> </div> </div> <div class="navigation-bottom d-flex flex-justify-between py-3" role="navigation" aria-label="footer navigation"> <div class="prev"><a href="/node-feature-discovery/master/deployment/operator.html" class="btn" title="NFD Operator" accesskey="p" rel="prev"> <i class="fa fa-arrow-circle-left"></i> Previous </a></div> <div class="next"><a href="/node-feature-discovery/master/deployment/uninstallation.html" class="btn" title="Uninstallation" accesskey="n" rel="next"> Next <i class="fa fa-arrow-circle-right"></i> </a></div> </div><hr> <div class="copyright text-center text-gray" role="contentinfo"> <i class="fa fa-copyright"></i> <span class="time">2016-2023,</span> <a class="text-gray" href="https://github.com/kubernetes-sigs" rel="noreferrer" target="_blank">Kubernetes SIGs</a> Revision <a class="text-gray" href="https://github.com/kubernetes-sigs/node-feature-discovery/commit/" title="" rel="noreferrer" target="_blank"></a> <br> <div class="generator"> Built with <a href="https://pages.github.com" rel="noreferrer" target="_blank" title="github-pages v228">GitHub Pages</a> using a <a href="https://github.com/rundocs/jekyll-rtd-theme" rel="noreferrer" target="_blank" title="rundocs/jekyll-rtd-theme v2.0.10">theme</a> provided by <a href="https://rundocs.io" rel="noreferrer" target="_blank">RunDocs</a>. </div> </div> </div> </div> <div class="addons-wrap d-flex flex-column overflow-y-auto"> <div class="status d-flex flex-justify-between p-2"> <div class="title p-1"> <i class="fa fa-book"></i> Node Feature Discovery </div> <div class="branch p-1"> <span class="name"> master </span> <i class="fa fa-caret-down"></i> </div> </div> <div class="addons d-flex flex-column height-full p-2 d-none"> <dl id="versions"> <dt>Versions</dt> <script src="/node-feature-discovery/versions.js"></script> <script> var dt = document.getElementById('versions'); var items = getVersionListItems(); for (var i=0; i < items.length; i++) { var dd = document.createElement('dd'); var a = dd.appendChild(document.createElement('a')); a.appendChild(document.createTextNode(items[i].name)); a.href = items[i].url; dt.appendChild(dd); } </script> </dl> <dl> <dt>GitHub</dt> <dd> <a href="https://github.com/kubernetes-sigs/node-feature-discovery" title="Stars: 635"> <i class="fa fa-github"></i> Homepage </a> </dd> <dd> <a href="https://github.com/kubernetes-sigs/node-feature-discovery/issues" title="Open issues: 25"> <i class="fa fa-question-circle-o"></i> Issues </a> </dd> <dd> <a href="https://github.com/kubernetes-sigs/node-feature-discovery/zipball/gh-pages" title="Size: 96374 Kb"> <i class="fa fa-download"></i> Download </a> </dd> </dl> <hr> <div class="license f6 pb-2"> This <a href="/node-feature-discovery/master/" title="Node Feature Discovery">Software</a> is under the terms of <a href="https://github.com/kubernetes-sigs/node-feature-discovery">Apache License 2.0</a>. </div> </div> </div> <script src="https://cdn.jsdelivr.net/gh/rundocs/jekyll-rtd-theme@2.0.10/assets/js/jquery.min.js"></script><script src="https://cdn.jsdelivr.net/gh/rundocs/jekyll-rtd-theme@2.0.10/assets/js/theme.min.js"></script> </body> </html>
Copy permalink