Managing SSL certificates

IBM Storage Enabler for Containers uses SSL certificates for maintaining a secure communication link between the IBM Storage Enabler for Containers server, its database, the Dynamic Provisioner, the FlexVolume, and the IBM Spectrum Scale Management API (GUI) server.

About this task

IBM Storage Enabler for Containers supports two SSL modes, when communicating with its components:
  • require, when no validation is required. The IBM Storage Enabler for Containers server generates self-signed certificates on the fly. In this mode, you can skip the procedure detailed below and continue with the installation of the IBM Storage Enabler for Containers without any special SSL configuration.
  • verify-full, expecting the user to provide relevant certificates. When enabled, this SSL mode requires additional configuration steps as listed below.

Procedure

  1. When operating in the verify-full mode, you will need to generate the following three pairs of the public-private keys for:
    • IBM Spectrum Scale Management API (GUI) server. You can upload these certificates to the server, as explained in the IIBM Spectrum Scale Management API (GUI) user guide.
    • IBM Storage Enabler for Containers (ubiquity) service object.
    • IBM Storage Enabler for Containers database (ubiquity-db) service object.
  2. Verify that:
    • The SSL certificates that you have generated are valid and signed by root CA.
    • The SSL certificates have valid common and alternative names. The alternative names list must contain valid DNS names and/or IP addresses of the IBM Spectrum Scale Management API (GUI) server, ubiquity service object, and ubiquity-db service object.
      Run these commands on Kubernetes cluster master node to obtain the required network parameters for the ubiquity and ubiquity-db services (see example with the ubiquity namespace below):
      kubectl create service clusterip ubiquity --tcp=9999:9999 -n ubiquity
kubectl label service ubiquity -n ubiquity product=ibm-storage-enabler-for-containers

kubectl create service clusterip ubiquity-db --tcp=5432:5432 -n ubiquity
kubectl label service ubiquity-db -n ubiquity product=ibm-storage-enabler-for-containers
      These commands generate two Kubernetes services that provide the required DNS/IP address combinations.
    • The private certificate and certificate key files have the following names:
      • ubiquity.crt and ubiquity.key for the ubiquity service object.
      • ubiquity-db.crt and ubiquity-db.key for the ubiquity-db service object.
    • The trusted CA files contain the root CA certificate and have the following names:
      • spectrumscale-trusted-ca.crt for the IBM Spectrum Scale Management API server (GUI).
      • ubiquity-trusted-ca.crt for the ubiquity service object.
      • ubiquity-db-trusted-ca.crt for the ubiquity-db service object.
    • Copy all generated *.crt and *.key files to a dedicated directory.
  3. Create two secrets and one configmap, as illustrated for the ubiquity namespace below: 
    
 kubectl create secret -n ubiquity generic ubiquity-db-private-certificate --from-file=ubiquity-db.key
   --from-file=ubiquity-db.crt
 kubectl create secret -n ubiquity generic ubiquity-private-certificate --from-file=ubiquity.key 
   --from-file=ubiquity.crt
 kubectl create configmap -n ubiquity ubiquity-public-certificates --from-file=ubiquity-db-trusted-ca.crt 
   --from-file=spectrumscale-trusted-ca.crt --from-file=ubiquity-trusted-ca.crt
    • configmap ubiquity-public-certificates for all the trusted CA files.
    • The ubiquity-private-certificate secret for the private certificates used by the ubiquity service object.
    • The ubiquity-db-private-certificate secret for the private certificates used by the ubiquity-db service object.
  4. Proceed with installation of the IBM Storage Enabler for Containers, as detailed in Performing installation.