From ff16939e59efaff830988066c29ef3d56fb979c7 Mon Sep 17 00:00:00 2001 From: Floppy Disk Date: Thu, 5 Dec 2024 12:39:31 +0300 Subject: [PATCH 1/4] add-oidc-docs-2 --- content/en/docs/oidc.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/en/docs/oidc.md b/content/en/docs/oidc.md index b38a771..fbb0ea9 100644 --- a/content/en/docs/oidc.md +++ b/content/en/docs/oidc.md @@ -77,6 +77,9 @@ kubectl get secret -o yaml -n cozy-keycloak keycloak-credentials -o go-template= 1. **Create a User in the Cozy Realm** Follow the [Keycloak documentation](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-user_server_administration_guide) to create a user in the Cozy realm. + {{% alert color="info" %}} + User must be with verified email. + {{% /alert %}} 2. **Add User to the `kubeapps-admin` Group** Assign the user to the `kubeapps-admin` group. From 8d6c109e8af80384cff29c817f0cfe938b7690fc Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 5 Dec 2024 11:29:42 +0100 Subject: [PATCH 2/4] Update content/en/docs/oidc.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- content/en/docs/oidc.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/content/en/docs/oidc.md b/content/en/docs/oidc.md index fbb0ea9..da6857e 100644 --- a/content/en/docs/oidc.md +++ b/content/en/docs/oidc.md @@ -78,7 +78,11 @@ kubectl get secret -o yaml -n cozy-keycloak keycloak-credentials -o go-template= 1. **Create a User in the Cozy Realm** Follow the [Keycloak documentation](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-user_server_administration_guide) to create a user in the Cozy realm. {{% alert color="info" %}} - User must be with verified email. + Users must have a verified email address in Keycloak. This is required for proper OIDC authentication. + To verify an email: + 1. Access the user details in Keycloak admin console + 2. Navigate to the Credentials tab + 3. Use the "Email Verification" action {{% /alert %}} 2. **Add User to the `kubeapps-admin` Group** From a14dda193439ebe840014612883d32c308cbfc74 Mon Sep 17 00:00:00 2001 From: Floppy Disk Date: Tue, 28 Jan 2025 14:05:06 +0300 Subject: [PATCH 3/4] add-rotate-ca-docs --- content/en/docs/faq.md | 65 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/content/en/docs/faq.md b/content/en/docs/faq.md index f2625b3..7efcb0b 100644 --- a/content/en/docs/faq.md +++ b/content/en/docs/faq.md @@ -142,3 +142,68 @@ in the result, you’ll receive the tenant-kubeconfig file, which you can provid Here you can find reference repository to learn how to configure Cozystack services using GitOps approach: - https://github.com/aenix-io/cozystack-gitops-example + +### How to rotate CA + +#### For tenant k8s cluster: + +```bash +export NAME=k8s-cluster-name +kubectl delete secret ${NAME}-ca +kubectl delete secret ${NAME}-sa-certificate + +kubectl delete secret ${NAME}-api-server-certificate +kubectl delete secret ${NAME}-api-server-kubelet-client-certificate +kubectl delete secret ${NAME}-datastore-certificate +kubectl delete secret ${NAME}-front-proxy-client-certificate +kubectl delete secret ${NAME}-konnectivity-certificate + +kubectl delete secret ${NAME}-admin-kubeconfig +kubectl delete secret ${NAME}-controller-manager-kubeconfig +kubectl delete secret ${NAME}-konnectivity-kubeconfig +kubectl delete secret ${NAME}-scheduler-kubeconfig + +k delete po -l app.kubernetes.io/name=kamaji -n cozy-kamaji +``` + +Wait for virt-launcher-kubernetes-* pods restart. +Download new k8s certificate. + +#### For managment k8s cluster: +See talos docs: https://www.talos.dev/v1.9/advanced/ca-rotation/#kubernetes-api +```bash +git clone https://github.com/aenix-io/cozystack.git +cd packages/core/testing +make apply +make exec +``` + +Add to your talosconfig in pod: +```yaml + client-aenix-new: + endpoints: + - 12.34.56.77 + - 12.34.56.78 + - 12.34.56.79 + nodes: + - 12.34.56.77 + - 12.34.56.78 + - 12.34.56.79 +``` + +Exec in pod: +```bash +talosctl rotate-ca -e 12.34.56.77,12.34.56.78,12.34.56.79 --control-plane-nodes 12.34.56.77,12.34.56.78,12.34.56.79 --talos=false --dry-run=false & +``` + +Get new kubeconfig: +```bash +talm kubeconfig kubeconfig -f nodes/srv1.yaml +``` + +#### For talos API +See: https://www.talos.dev/v1.9/advanced/ca-rotation/#talos-api +All like for managment k8s cluster, but talosctl command: +```bash +talosctl rotate-ca -e 12.34.56.77,12.34.56.78,12.34.56.79 --control-plane-nodes 12.34.56.77,12.34.56.78,12.34.56.79 --kubernetes=false --dry-run=false & +``` From 5d1228caeda1f452c08f44d95cd8df4ed94ca03a Mon Sep 17 00:00:00 2001 From: Floppy Disk Date: Tue, 28 Jan 2025 14:26:12 +0300 Subject: [PATCH 4/4] add reasons --- content/en/docs/faq.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/content/en/docs/faq.md b/content/en/docs/faq.md index 7efcb0b..670e2bd 100644 --- a/content/en/docs/faq.md +++ b/content/en/docs/faq.md @@ -144,9 +144,13 @@ Here you can find reference repository to learn how to configure Cozystack servi - https://github.com/aenix-io/cozystack-gitops-example ### How to rotate CA +In general, you almost never need to rotate the root CA certificate and key for the Talos API and Kubernetes API. Talos sets up root certificate authorities with the lifetime of 10 years, and all Talos and Kubernetes API certificates are issued by these root CAs. So the rotation of the root CA is only needed if: +- you suspect that the private key has been compromised; +- you want to revoke access to the cluster for a leaked talosconfig or kubeconfig; +- once in 10 years. #### For tenant k8s cluster: - +See: https://kamaji.clastix.io/guides/certs-lifecycle/ ```bash export NAME=k8s-cluster-name kubectl delete secret ${NAME}-ca @@ -170,7 +174,7 @@ Wait for virt-launcher-kubernetes-* pods restart. Download new k8s certificate. #### For managment k8s cluster: -See talos docs: https://www.talos.dev/v1.9/advanced/ca-rotation/#kubernetes-api +See: https://www.talos.dev/v1.9/advanced/ca-rotation/#kubernetes-api ```bash git clone https://github.com/aenix-io/cozystack.git cd packages/core/testing