Pre-provisioned FIPS Create Secrets and Overrides

Create necessary secrets and overrides for pre-provisioned clusters

Most applications deployed through Kubernetes require access to databases, services, and other resources located externally. The easiest way to manage the login information necessary to access those resources is using secrets in order to help organize and distribute sensitive information across a cluster while minimizing the risk of sensitive information exposure.

DKP requires SSH access to your infrastructure with superuser privileges. You must provide an unencrypted SSH private key to DKP so secrets are a good way to achieve this. Populate the key and create the required secret, on your bootstrap cluster using the following procedure.

Create a unique cluster name

Give your cluster a unique name suitable for your environment.

Set the environment variable to be used throughout this procedure:

export CLUSTER_NAME=preprovisioned-example

(Optional) If you want to create a unique cluster name, use this command. This creates a unique name every time you run it, so use it carefully.

export CLUSTER_NAME=preprovisioned-example-$(LC_CTYPE=C tr -dc 'a-z0-9' </dev/urandom | fold -w 5 | head -n1)
echo $CLUSTER_NAME

preprovisioned-example-pf4a3

Create a secret

Create a secret that contains the SSH key with these commands:

export SSH_PRIVATE_KEY_FILE="<path-to-ssh-private-key>" 

export SSH_PRIVATE_KEY_SECRET_NAME=$CLUSTER_NAME-ssh-key

kubectl create secret generic ${SSH_PRIVATE_KEY_SECRET_NAME} --from-file=ssh-privatekey=${SSH_PRIVATE_KEY_FILE}
kubectl label secret ${SSH_PRIVATE_KEY_SECRET_NAME} clusterctl.cluster.x-k8s.io/move=

secret/preprovisioned-example-ssh-key created
secret/preprovisioned-example-ssh-key labeled

Non-air-gapped Environment Create FIPS-140 images

KIB can produce images containing FIPS-140 compliant binaries. Use the fips.yaml override file provided with the image bundles.

You can also find these override files in the Konvoy Image Builder repo.

Create overrides

1. Create a secret that includes the customization Overrides for FIPS compliance:
   Note: Get the latest values for FIPS from the Konvoy Image Builder repo.

   CODE

   cat > overrides.yaml << EOF 
   ---
   k8s_image_registry: docker.io/mesosphere
   
   fips:
     enabled: true
   
   build_name_extra: -fips
   kubernetes_build_metadata: fips.0
   default_image_repo: hub.docker.io/mesosphere
   kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
   docker_rpm_repository_url: "\
     https://containerd-fips.s3.us-east-2.amazonaws.com\
     /{{ ansible_distribution_major_version|int }}\
     /x86_64"
   EOF

2. If your pre-provisioned machines need to have a customization with alternate package libraries, Docker image or other container registry image repos, or other Custom Override Files, add more lines to the same Overrides file.

   1. Example:
      If you want to provide an override with Docker credentials and a different source for EPEL on a CentOS7 machine, you should create a file like this:

      CODE

      cat > overrides.yaml << EOF 
      ---
      # fips configuration
      k8s_image_registry: docker.io/mesosphere
      
      fips:
        enabled: true
      
      build_name_extra: -fips
      kubernetes_build_metadata: fips.0
      default_image_repo: hub.docker.io/mesosphere
      kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
      docker_rpm_repository_url: "\
        https://containerd-fips.s3.us-east-2.amazonaws.com\
        /{{ ansible_distribution_major_version|int }}\
        /x86_64"
      
      # custom configuration 
      image_registries_with_auth:
      - host: "registry-1.docker.io"
        username: "my-user"
        password: "my-password"
        auth: ""
        identityToken: ""
      
      epel_centos_7_rpm: https://my-rpm-repostory.org/epel/epel-release-latest-7.noarch.rpm
      EOF
       

   2. Example:
      When using Oracle 7 OS, you may wish to deploy the RHCK kernel instead of the default UEK kernel. To do so, add the following text to your overrides.yaml:

      CODE

      cat > overrides.yaml << EOF 
      ---
      # fips configuration
      k8s_image_registry: docker.io/mesosphere
      
      fips:
        enabled: true
      
      build_name_extra: -fips
      kubernetes_build_metadata: fips.0
      default_image_repo: hub.docker.io/mesosphere
      kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
      docker_rpm_repository_url: "\
        https://containerd-fips.s3.us-east-2.amazonaws.com\
        /{{ ansible_distribution_major_version|int }}\
        /x86_64"
      
      # custom configuration
      oracle_kernel: RHCK
      EOF
      

3. Create the related secret by running the following command:

   CODE

   kubectl create secret generic $CLUSTER_NAME-user-overrides --from-file=overrides.yaml=overrides.yaml
   kubectl label secret $CLUSTER_NAME-user-overrides clusterctl.cluster.x-k8s.io/move=