diff --git a/adoc/admin-monitoring-stack.adoc b/adoc/admin-monitoring-stack.adoc index 7de903556..14974283c 100644 --- a/adoc/admin-monitoring-stack.adoc +++ b/adoc/admin-monitoring-stack.adoc @@ -1,4 +1,4 @@ -[[monitoring_stack]] +[#monitoring-stack] = Monitoring Stack [IMPORTANT] @@ -792,7 +792,7 @@ In production environments you must configure persistent storage. alertmanager: enabled: true baseURL: https://example.com:32443/alertmanager - prefixURL: /alertmanager + prefixURL: /alertmanager ingress: enabled: true annotations: diff --git a/adoc/admin-security-certificates.adoc b/adoc/admin-security-certificates.adoc index cef5ae3a9..ce616569d 100644 --- a/adoc/admin-security-certificates.adoc +++ b/adoc/admin-security-certificates.adoc @@ -155,7 +155,7 @@ helm install suse/cert-exporter --name ${RELEASE_NAME} === Prerequisites -. To monitor certificates, we need to set up monitoring stack by following the <> on how to deploy it. +. To monitor certificates, we need to set up monitoring stack by following the <> on how to deploy it. . Label the skuba addon certificates + [source,bash] @@ -369,7 +369,7 @@ openssl x509 -noout -text -in pki.bak/oidc-dex.crt | grep -oP '(?<=DNS:)[^,]+' . Sign the `oidc-dex` server certificate with the trusted CA certificate. + -Please refer to <> on how to sign the trusted certificate. The `server.conf` for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present. +Please refer to <> on how to sign the trusted certificate. The `server.conf` for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present. + Then, import your trusted certificate into the {kube} cluster. The trusted CA certificates is ``, trusted server certificate and key are `` and ``. @@ -422,7 +422,7 @@ openssl x509 -noout -text -in pki.bak/oidc-gangway.crt | grep -oP '(?<=DNS:)[^,] . Sign the `oidc-gangway` server certificate with the trusted CA certificate. + -Please refer to <> on how to sign the trusted certificate. The `server.conf` for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present. +Please refer to <> on how to sign the trusted certificate. The `server.conf` for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present. + Then, import your trusted certificate into the {kube} cluster. The trusted CA certificates is ``, trusted server certificate and key are `` and ``. @@ -579,11 +579,11 @@ openssl x509 -noout -text -in /etc/kubernetes/pki.bak/oidc-dex.crt | grep -oP '( . Sign the `oidc-dex` server certificate with the default kubernetes CA certificate _or_ trusted CA certificate. .. Default kubernetes CA certificate + -Please refer to <> on how to sign the self signed server certificate. The default kubernetes CA certificate and key are located at `/etc/kubernetes/pki/ca.crt` and `/etc/kubernetes/pki/ca.key`. The `server.conf` for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present. +Please refer to <> on how to sign the self signed server certificate. The default kubernetes CA certificate and key are located at `/etc/kubernetes/pki/ca.crt` and `/etc/kubernetes/pki/ca.key`. The `server.conf` for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present. + .. Trusted CA certificate + -Please refer to <> on how to sign the trusted server certificate. The `server.conf` for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present. +Please refer to <> on how to sign the trusted server certificate. The `server.conf` for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present. . Import your certificate into the {kube} cluster. The CA certificate is ``, server certificate and key are `` and ``. @@ -637,11 +637,11 @@ openssl x509 -noout -text -in /etc/kubernetes/pki.bak/oidc-gangway.crt | grep -o . Sign the `oidc-gangway` server certificate with the default kubernetes CA certificate _or_ trusted CA certificate. .. Default kubernetes CA certificate + -Please refer to <> on how to sign the self signed server certificate. The default kubernetes CA certificate and key are located at `/etc/kubernetes/pki/ca.crt` and `/etc/kubernetes/pki/ca.key`. The `server.conf` for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present. +Please refer to <> on how to sign the self signed server certificate. The default kubernetes CA certificate and key are located at `/etc/kubernetes/pki/ca.crt` and `/etc/kubernetes/pki/ca.key`. The `server.conf` for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present. + .. Trusted CA certificate + -Please refer to <> on how to sign the trusted server certificate. The `server.conf` for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present. +Please refer to <> on how to sign the trusted server certificate. The `server.conf` for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present. . Import your certificate into the {kube} cluster. The CA certificates is ``, server certificate and key are `` and ``. @@ -676,7 +676,7 @@ kubectl rollout restart deployment/oidc-gangway -n kube-system [[trusted_signed_certificate]] === Trusted 3rd-Party Signed Certificate -[[trusted_server_certificate]] +[#trusted-server-certificate] ==== Trusted Server Certificate . Generate a private key by following the steps below from a terminal window: @@ -751,7 +751,7 @@ You should receive the following files in return: .. Server certificate (public key) .. Intermediate CA and/or bundles that chain to the Trusted Root CA -[[trusted_client_certificate]] +[#trusted-client-certificate] ==== Trusted Client Certificate . Generate a private key by following the steps below from a terminal window: @@ -817,7 +817,7 @@ You should receive the following files in return: .. Client certificate (public key) .. Intermediate CA and/or bundles that chain to the Trusted Root CA -[[self_signed_certificate]] +[#self-signed-certificate] === Self-signed Server Certificate [NOTE] @@ -827,9 +827,9 @@ used for signing is configured securely as a trusted Certificate Authority on th ==== In some cases you want to create self-signed certificates for testing. -If you are using proper trusted 3rd-party CA signed certificates, skip the following steps and refer to <>. +If you are using proper trusted 3rd-party CA signed certificates, skip the following steps and refer to <>. -[[self_signed_ca_certificate]] +[#self-signed-ca-certificate] ==== Self-signed CA Certificate . Create a file _ca.conf_ with the appropriate values @@ -869,7 +869,7 @@ openssl genrsa -out ca.key 2048 openssl req -key ca.key -new -x509 -days 3650 -sha256 -config ca.conf -out ca.crt ---- -[[self_signed_server_certificate]] +[#self-signed-server-certificate] ==== Self-signed Server Certificate . Create a file _server.conf_ with the appropriate values @@ -927,7 +927,7 @@ Check the signed certificate openssl x509 -text -noout -in server.crt ---- -[[self_signed_client_certificate]] +[#self-signed-client-certificate] ==== Self-signed Client Certificate . Create a file _client.conf_ with the appropriate values diff --git a/adoc/admin-security-nginx-ingress.adoc b/adoc/admin-security-nginx-ingress.adoc index cfb106bbc..4e47ac7c9 100644 --- a/adoc/admin-security-nginx-ingress.adoc +++ b/adoc/admin-security-nginx-ingress.adoc @@ -198,7 +198,7 @@ kubectl create clusterrolebinding dashboard-admin \ . Create the TLS secret. + -Please refer to <> on how to sign the trusted certificate. In this example, crt and key are generated by a self-signed certificate. +Please refer to <> on how to sign the trusted certificate. In this example, crt and key are generated by a self-signed certificate. + [source,bash] ---- diff --git a/adoc/admin-software-installation.adoc b/adoc/admin-software-installation.adoc index db6a3f1b6..02e2ab318 100644 --- a/adoc/admin-software-installation.adoc +++ b/adoc/admin-software-installation.adoc @@ -1,4 +1,4 @@ -[[software-installation]] +-[[software-installation]] = Software Installation Software can be installed in three basic layers @@ -134,14 +134,14 @@ This installs tiller with TLS certificate security. ===== Trusted Certificates -Please reference to <> and <> on how to sign the trusted tiller and helm certificate. +Please refer to <> and <> on how to sign the trusted tiller and helm certificate. The server.conf for IP.1 is `127.0.0.1`. Then, import trusted certificate to {kube} cluster. In this example, trusted certificate are `ca.crt`, `tiller.crt`, `tiller.key`, `helm.crt` and `helm.key`. ===== Self-signed Certificates (optional) -Please reference to <> and <> on how to sign the self-signed tiller and helm certificate. +Please refer to <> and <> on how to sign the self-signed tiller and helm certificate. The server.conf for IP.1 is `127.0.0.1`. Then, import trusted certificate to {kube} cluster. In this example, trusted certificate are `ca.crt`, `tiller.crt`, `tiller.key`, `helm.crt` and `helm.key`.