Skip to main content
Skip table of contents

Pre-provisioned FIPS Create Secrets and Overrides

Create necessary secrets and overrides for pre-provisioned clusters

DKP requires SSH access to your infrastructure with superuser privileges. You must provide an unencrypted SSH private key to DKP.

Populate this key and create the required secret, on your bootstrap cluster using the following procedure.

Create a unique cluster name

Give your cluster a unique name suitable for your environment.

Set the environment variable to be used throughout this procedure:

CODE 
export CLUSTER_NAME=preprovisioned-example

(Optional) If you want to create a unique cluster name, use this command. This creates a unique name every time you run it, so use it carefully.

CODE 
export CLUSTER_NAME=preprovisioned-example-$(LC_CTYPE=C tr -dc 'a-z0-9' </dev/urandom | fold -w 5 | head -n1)
echo $CLUSTER_NAME
CODE 
preprovisioned-example-pf4a3

Create a secret

Create a secret that contains the SSH key with these commands:

CODE 
export SSH_PRIVATE_KEY_FILE="<path-to-ssh-private-key>"
CODE 
export SSH_PRIVATE_KEY_SECRET_NAME=$CLUSTER_NAME-ssh-key
CODE 
kubectl create secret generic ${SSH_PRIVATE_KEY_SECRET_NAME} --from-file=ssh-privatekey=${SSH_PRIVATE_KEY_FILE}
kubectl label secret ${SSH_PRIVATE_KEY_SECRET_NAME} clusterctl.cluster.x-k8s.io/move=
CODE 
secret/preprovisioned-example-ssh-key created
secret/preprovisioned-example-ssh-key labeled
Create FIPS 140 Images: Air-gapped Environment

Pre-provisioned FIPS Infrastructure

If you are targeting a Pre-provisioned Installs, you can create a FIPS-compliant cluster by doing the following:

  1. Create a Pre-provisioned: Bootstrap Cluster

  2. Create a secret on the bootstrap cluster with the contents from fips.yamloverride file and any other user overrides you wish to provide

CODE 
kubectl create secret generic $CLUSTER_NAME-fips-overrides --from-file=overrides.yaml=overrides.yaml
kubectl label secret $CLUSTER_NAME-fips-overrides clusterctl.cluster.x-k8s.io/move=

Create overrides

  1. Create a secret that includes the customization Overrides for FIPS compliance:
    Note: Get the latest values for FIPS from the Konvoy Image Builder repo.

    CODE 
    cat > overrides.yaml << EOF 
---
k8s_image_registry: docker.io/mesosphere

fips:
  enabled: true

build_name_extra: -fips
kubernetes_build_metadata: fips.0
default_image_repo: hub.docker.io/mesosphere
kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
docker_rpm_repository_url: "\
  https://containerd-fips.s3.us-east-2.amazonaws.com\
  /{{ ansible_distribution_major_version|int }}\
  /x86_64"
EOF

  2. If your pre-provisioned machines need to have a customization with alternate package libraries, Docker image repos, or other Custom Override Files, add more lines to the same Overrides file.

    1. Example:
      If you want to provide an override with Docker credentials and a different source for EPEL on a CentOS7 machine, you should create a file like this:

      CODE 
      cat > overrides.yaml << EOF 
---
# fips configuration
k8s_image_registry: docker.io/mesosphere

fips:
  enabled: true

build_name_extra: -fips
kubernetes_build_metadata: fips.0
default_image_repo: hub.docker.io/mesosphere
kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
docker_rpm_repository_url: "\
  https://containerd-fips.s3.us-east-2.amazonaws.com\
  /{{ ansible_distribution_major_version|int }}\
  /x86_64"

# custom configuration 
image_registries_with_auth:
- host: "registry-1.docker.io"
  username: "my-user"
  password: "my-password"
  auth: ""
  identityToken: ""

epel_centos_7_rpm: https://my-rpm-repostory.org/epel/epel-release-latest-7.noarch.rpm
EOF
 

    2. Example:
      When using Oracle 7 OS, you may wish to deploy the RHCK kernel instead of the default UEK kernel. To do so, add the following text to your overrides.yaml:

      CODE 
      cat > overrides.yaml << EOF 
---
# fips configuration
k8s_image_registry: docker.io/mesosphere

fips:
  enabled: true

build_name_extra: -fips
kubernetes_build_metadata: fips.0
default_image_repo: hub.docker.io/mesosphere
kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
docker_rpm_repository_url: "\
  https://containerd-fips.s3.us-east-2.amazonaws.com\
  /{{ ansible_distribution_major_version|int }}\
  /x86_64"

# custom configuration
oracle_kernel: RHCK
EOF

  3. Create the related secret by running the following command:

    CODE 
    kubectl create secret generic $CLUSTER_NAME-user-overrides --from-file=overrides.yaml=overrides.yaml
kubectl label secret $CLUSTER_NAME-user-overrides clusterctl.cluster.x-k8s.io/move=
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close