Add admin certificate invalidation to install (#313)

Also adds check for emergency credentials.
appuio · Mar 8, 2024 · 543a812 · 543a812
1 parent d5d531b
commit 543a812
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 11 deletions.
diff --git a/docs/modules/ROOT/partials/install/finalize_part1.adoc b/docs/modules/ROOT/partials/install/finalize_part1.adoc
@@ -72,27 +72,40 @@ done
 ----
 endif::[]
 
-=== Store the cluster's admin credentials in the password manager
+=== Ensure emergency admin access to the cluster
 
-. Once the cluster's production API certificate has been deployed, edit the cluster's admin kubeconfig file to remove the initial API certificate CA.
+. Check that emergency credentials were uploaded and are accessible:
 +
-[TIP]
+[source,bash]
+----
+emergency-credentials-receive "${CLUSTER_ID}"
+# Follow the instructions to use the downloaded kubeconfig file
+----
++
+[NOTE]
 ====
-You may see the error `Unable to connect to the server: x509: certificate signed by unknown authority` when executing `kubectl` or `oc` commands after the cluster's production API certificate has been deployed by Project Syn.
+You need to be in the passbolt group `VSHN On-Call`.
+
+If the command fails, check if the controller is already deployed, running, and if the credentials are uploaded:
 
-This error can be addressed by removing the initial CA certificate data from the admin kubeconfig as shown in this step.
+[source,bash]
+----
+kubectl -n appuio-emergency-credentials-controller get emergencyaccounts.cluster.appuio.io -o=jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.lastTokenCreationTimestamp}{"\n"}{end}'
+----
 ====
+
+. Follow the instructions from `emergency-credentials-receive` to use the downloaded `kubeconfig` file.
 +
 [source,bash]
 ----
-yq e -i 'del(.clusters[0].cluster.certificate-authority-data)' \
-  "${INSTALLER_DIR}/auth/kubeconfig"
+export KUBECONFIG="em-${CLUSTER_ID}"
+kubectl get nodes
+oc whoami # should output system:serviceaccount:appuio-emergency-credentials-controller:*
 ----
 
-. Save the admin credentials in the https://cloud.passbolt.com/vshn[password manager].
-You can find the password in the file `target/auth/kubeadmin-password` and the kubeconfig in `target/auth/kubeconfig`
+. Invalidate the 10 year admin kubeconfig.
 +
 [source,bash]
 ----
-ls -l ${INSTALLER_DIR}/auth/
+kubectl -n openshift-config patch cm admin-kubeconfig-client-ca --type=merge -p '{"data": {"ca-bundle.crt": ""}}'
 ----
diff --git a/docs/modules/ROOT/partials/install/prerequisites.adoc b/docs/modules/ROOT/partials/install/prerequisites.adoc
@@ -1,10 +1,11 @@
 * `jq`
 * `yq` https://mikefarah.gitbook.io/yq[yq YAML processor] (version 4 or higher - use the go version by mikefarah, not the jq wrapper by kislyuk)
 * `openshift-install` (direct download: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-{ocp-minor-version}/openshift-install-linux.tar.gz[linux], https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-{ocp-minor-version}/openshift-install-mac.tar.gz[macOS])
-* `oc` (direct download: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-{ocp-minor-version}/openshift-client-linux.tar.gz[linux], https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-{ocp-minor-version}/openshift-client-mac.tar.gz[macOS]) 
+* `oc` (direct download: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-{ocp-minor-version}/openshift-client-linux.tar.gz[linux], https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-{ocp-minor-version}/openshift-client-mac.tar.gz[macOS])
 * https://kubernetes.io/docs/tasks/tools/#kubectl[`kubectl`]
 * `vault` https://www.vaultproject.io/docs/commands[Vault CLI]
 * `curl`
+* `emergency-credentials-receive` https://github.com/vshn/emergency-credentials-receive?tab=readme-ov-file#install-from-binary[Install instructions]
 ifeval::["{provider}" != "vsphere"]
 * `gzip`
 * `docker`