Create necessary secrets and overrides for pre-provisioned clusters

DKP requires SSH access to your infrastructure with superuser privileges. You must provide an unencrypted SSH private key to DKP.

Populate this key and create the required secret, on your bootstrap cluster using the following procedure.

Create a unique cluster name

Give your cluster a unique name suitable for your environment.

Set the environment variable to be used throughout this procedure:

export CLUSTER_NAME=preprovisioned-example
CODE

(Optional) If you want to create a unique cluster name, use this command. This creates a unique name every time you run it, so use it carefully.

export CLUSTER_NAME=preprovisioned-example-$(LC_CTYPE=C tr -dc 'a-z0-9' </dev/urandom | fold -w 5 | head -n1)
echo $CLUSTER_NAME
CODE 
preprovisioned-example-pf4a3
CODE

Create a secret

Create a secret that contains the SSH key with these commands:

export SSH_PRIVATE_KEY_FILE="<path-to-ssh-private-key>"
CODE 
export SSH_PRIVATE_KEY_SECRET_NAME=$CLUSTER_NAME-ssh-key
CODE 
kubectl create secret generic ${SSH_PRIVATE_KEY_SECRET_NAME} --from-file=ssh-privatekey=${SSH_PRIVATE_KEY_FILE}
kubectl label secret ${SSH_PRIVATE_KEY_SECRET_NAME} clusterctl.cluster.x-k8s.io/move=
CODE 
secret/preprovisioned-example-ssh-key created
secret/preprovisioned-example-ssh-key labeled
CODE
Create FIPS 140 Images: Air-gapped Environment

Pre-provisioned FIPS Infrastructure

If you are targeting a Pre-provisioned Installs, you can create a FIPS-compliant cluster by doing the following:

  1. Create a Pre-provisioned: Bootstrap Cluster

  2. Create a secret on the bootstrap cluster with the contents from fips.yamloverride file and any other user overrides you wish to provide

kubectl create secret generic $CLUSTER_NAME-fips-overrides --from-file=overrides.yaml=overrides.yaml
kubectl label secret $CLUSTER_NAME-fips-overrides clusterctl.cluster.x-k8s.io/move=
CODE

Create overrides

  1. Create a secret that includes the customization Overrides for FIPS compliance:
    Note: Get the latest values for FIPS from the Konvoy Image Builder repo.

    cat > overrides.yaml << EOF 
---
k8s_image_registry: docker.io/mesosphere

fips:
  enabled: true

build_name_extra: -fips
kubernetes_build_metadata: fips.0
default_image_repo: hub.docker.io/mesosphere
kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
docker_rpm_repository_url: "\
  https://containerd-fips.s3.us-east-2.amazonaws.com\
  /{{ ansible_distribution_major_version|int }}\
  /x86_64"
EOF
    CODE

  2. If your pre-provisioned machines need to have a customization with alternate package libraries, Docker image repos, or other Custom Override Files, add more lines to the same Overrides file.

    1. Example:
      If you want to provide an override with Docker credentials and a different source for EPEL on a CentOS7 machine, you should create a file like this:

      cat > overrides.yaml << EOF 
---
# fips configuration
k8s_image_registry: docker.io/mesosphere

fips:
  enabled: true

build_name_extra: -fips
kubernetes_build_metadata: fips.0
default_image_repo: hub.docker.io/mesosphere
kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
docker_rpm_repository_url: "\
  https://containerd-fips.s3.us-east-2.amazonaws.com\
  /{{ ansible_distribution_major_version|int }}\
  /x86_64"

# custom configuration 
image_registries_with_auth:
- host: "registry-1.docker.io"
  username: "my-user"
  password: "my-password"
  auth: ""
  identityToken: ""

epel_centos_7_rpm: https://my-rpm-repostory.org/epel/epel-release-latest-7.noarch.rpm
EOF
 
      CODE

    2. Example:
      When using Oracle 7 OS, you may wish to deploy the RHCK kernel instead of the default UEK kernel. To do so, add the following text to your overrides.yaml:

      cat > overrides.yaml << EOF 
---
# fips configuration
k8s_image_registry: docker.io/mesosphere

fips:
  enabled: true

build_name_extra: -fips
kubernetes_build_metadata: fips.0
default_image_repo: hub.docker.io/mesosphere
kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
docker_rpm_repository_url: "\
  https://containerd-fips.s3.us-east-2.amazonaws.com\
  /{{ ansible_distribution_major_version|int }}\
  /x86_64"

# custom configuration
oracle_kernel: RHCK
EOF
      CODE

  3. Create the related secret by running the following command:

    kubectl create secret generic $CLUSTER_NAME-user-overrides --from-file=overrides.yaml=overrides.yaml
kubectl label secret $CLUSTER_NAME-user-overrides clusterctl.cluster.x-k8s.io/move=
    CODE