Pre-provisioned FIPS Create Secrets and Overrides

DKP requires SSH access to your infrastructure with superuser privileges. You must provide an unencrypted SSH private key to DKP so secrets are a good way to achieve this. Populate the key and create the required secret, on your bootstrap cluster using the following procedure.

Create a Unique Cluster Name

Give your cluster a unique name suitable for your environment.

Set the environment variable to be used throughout this procedure:

export CLUSTER_NAME=preprovisioned-example

(Optional) If you want to create a unique cluster name, use this command. This creates a unique name every time you run it, so use it carefully.

export CLUSTER_NAME=preprovisioned-example-$(LC_CTYPE=C tr -dc 'a-z0-9' </dev/urandom | fold -w 5 | head -n1)
echo $CLUSTER_NAME

preprovisioned-example-pf4a3

Create a Secret

Create a secret that contains the SSH key with these commands:

export SSH_PRIVATE_KEY_FILE="<path-to-ssh-private-key>" 

export SSH_PRIVATE_KEY_SECRET_NAME=$CLUSTER_NAME-ssh-key

kubectl create secret generic ${SSH_PRIVATE_KEY_SECRET_NAME} --from-file=ssh-privatekey=${SSH_PRIVATE_KEY_FILE}
kubectl label secret ${SSH_PRIVATE_KEY_SECRET_NAME} clusterctl.cluster.x-k8s.io/move=

secret/preprovisioned-example-ssh-key created
secret/preprovisioned-example-ssh-key labeled

Non-air-gapped Environment Create FIPS-140 images

KIB can produce images containing FIPS-140 compliant binaries. Use the fips.yaml override file provided with the image bundles.

You can also find these override files in the Konvoy Image Builder repo.

Create Overrides

1. Create a secret that includes the customization Overrides for FIPS compliance:
   Note: Get the latest values for FIPS from the Konvoy Image Builder repo.

   CODE

   cat > overrides.yaml << EOF 
   ---
   k8s_image_registry: docker.io/mesosphere
   
   fips:
     enabled: true
   
   build_name_extra: -fips
   kubernetes_build_metadata: fips.0
   default_image_repo: hub.docker.io/mesosphere
   kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
   docker_rpm_repository_url: "\
     https://containerd-fips.s3.us-east-2.amazonaws.com\
     /{{ ansible_distribution_major_version|int }}\
     /x86_64"
   EOF

2. If your pre-provisioned machines need to have a customization with alternate package libraries, Docker image or other container registry image repos, or other Custom Override Files, add more lines to the same Overrides file.

   1. Example:
      If you want to provide an override with Docker credentials and a different source for EPEL on a CentOS7 machine, you should create a file like this:

      CODE

      cat > overrides.yaml << EOF 
      ---
      # fips configuration
      k8s_image_registry: docker.io/mesosphere
      
      fips:
        enabled: true
      
      build_name_extra: -fips
      kubernetes_build_metadata: fips.0
      default_image_repo: hub.docker.io/mesosphere
      kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
      docker_rpm_repository_url: "\
        https://containerd-fips.s3.us-east-2.amazonaws.com\
        /{{ ansible_distribution_major_version|int }}\
        /x86_64"
      
      # custom configuration 
      image_registries_with_auth:
      - host: "registry-1.docker.io"
        username: "my-user"
        password: "my-password"
        auth: ""
        identityToken: ""
      
      epel_centos_7_rpm: https://my-rpm-repostory.org/epel/epel-release-latest-7.noarch.rpm
      EOF
       

   2. Example:
      When using Oracle 7 OS, you may wish to deploy the RHCK kernel instead of the default UEK kernel. To do so, add the following text to your overrides.yaml:

      CODE

      cat > overrides.yaml << EOF 
      ---
      # fips configuration
      k8s_image_registry: docker.io/mesosphere
      
      fips:
        enabled: true
      
      build_name_extra: -fips
      kubernetes_build_metadata: fips.0
      default_image_repo: hub.docker.io/mesosphere
      kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
      docker_rpm_repository_url: "\
        https://containerd-fips.s3.us-east-2.amazonaws.com\
        /{{ ansible_distribution_major_version|int }}\
        /x86_64"
      
      # custom configuration
      oracle_kernel: RHCK
      EOF
      

3. Create the related secret by running the following command:

   CODE

   kubectl create secret generic $CLUSTER_NAME-user-overrides --from-file=overrides.yaml=overrides.yaml
   kubectl label secret $CLUSTER_NAME-user-overrides clusterctl.cluster.x-k8s.io/move=

Next Step

Pre-provisioned Define Control Plane Endpoint

If none of the customizations apply, continue to installation instructions for your environment:

• Pre-provisioned Install in a Non-air-gapped Environment
  OR

• Pre-provisioned Install in an Air-gapped Environment