(Optional) Importing a Certificate and KubeConfig File
Instructions
- Before using the tool, view Import Tool Description and select the import procedure based on your requirements.
- For details about how to import a KubeConfig file, see Importing the KubeConfig File.
Import Tool Description
- See Table 1 for details about file import and Table 4 for details about command parameters.
Table 1 Component file description Component
Type of Imported File
Import Command Example
Description
Resilience Controller
KubeConfig file for connecting to Kubernetes
./cert-importer -kubeConfig={kubeFile} -cpt={component}
The token file of Kubernetes ServiceAccount is mounted to the physical machine, which has exposure risks. You can import the encrypted KubeConfig file to replace ServiceAccount for security hardening.
- See Table 2 for details about the supported operations.
Table 2 Operation description Operation
Description
Addition
Imports the KubeConfig file.
Update
Imports the new KubeConfig file to replace the old file.
After the import, restart the service component for the file to take effect. The file validity period must match the product lifecycle, which cannot be too long or too short. Otherwise, services may be interrupted due to service component restart.
- By default, after the import is successful, the tool automatically deletes the KubeConfig authorization file. You can use the -n parameter to disable the automatic deletion function. If the file is not automatically deleted, you must keep the related configuration file secure. If you decide not to use the file, delete it immediately to prevent accidental leakage.
- The imported files are re-encrypted and stored in the /etc/mindx-dl directory. For details, see Table 3.
- If 3.0.RC3 or a later version is downgraded to an earlier version, you need to manually delete the files in the /etc/mindx-dl/ directory and use the cert-importer tool of an earlier version to import files again.
- The system must have sufficient random pools for import tool encryption. If the random pools are insufficient, the programs may be blocked. In this case, haveged is a feasible solution.
Installation commands are as follows:
- For CentOS-alike OSs, run the yum install haveged -y command to install haveged and run the systemctl start haveged command to start it.
- For Ubuntu-alike OSs, run the apt install haveged -y command to install haveged and run the systemctl start haveged command to start it.
Importing the KubeConfig File
- Log in to the Kubernetes management node.
- Create the /etc/kubernetes/mindxdl folder and set the permission to 750.
rm -rf /etc/kubernetes/mindxdl mkdir /etc/kubernetes/mindxdl chmod 750 /etc/kubernetes/mindxdl
- Create the KubeConfig file resilience-controller-cfg.conf by referring to Kubernetes guidance. The user field in the KubeConfig file is resilience-controller. Place the KubeConfig file to the /etc/kubernetes/mindxdl/ directory.
- Go to the decompression path of the Resilience Controller installation package and add the lib folder to the environment variable LD_LIBRARY_PATH in the current window, which does not need to be persisted or inherited to other users. (Configure the path of the .so file related to the encryption component for the certificate import tool.)
- Run the following command to back up the environment variable:
export LD_LIBRARY_PATH_BAK=${LD_LIBRARY_PATH} - Run the following command to set the lib folder to the environment variable LD_LIBRARY_PATH:
export LD_LIBRARY_PATH=`pwd`/lib/:${LD_LIBRARY_PATH}
- Run the following command to back up the environment variable:
- Import the KubeConfig file (Resilience Controller used as an example).
./cert-importer -kubeConfig=/etc/kubernetes/mindxdl/resilience-controller-cfg.conf -cpt=rc
If the following information is displayed, the import is successful.
encrypt kubeConfig successfully start to write data to disk [OP]import kubeConfig successfully change owner and set file mode successfully
- If the KubeConfig file has been imported but the component still displays an error message indicating an abnormal Kubernetes connection, rectify the fault by referring to Cluster Scheduling Components Fail to Connect Kubernetes.
- When the certificate is imported, cert-importer automatically creates the /var/log/mindx-dl/cert-importer directory with permissions set to 750 and ownership assigned to root:root.
- Run the following command to restore the backup environment variable:
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH_BAK}
Component |
Configuration File Directory |
Directory and File Owner |
Configuration File Description |
|---|---|---|---|
Root directory related to the cluster scheduling component certificate |
/etc/mindx-dl/ |
hwMindX:hwMindX |
kmc_primary_store/master.ks: automatically generated master key. Do not delete it. .config/backup.ks: automatically generated backup key. Do not delete it. |
Resilience Controller |
/etc/mindx-dl/resilience-controller/ |
.config/config6: imported and encrypted Kubernetes KubeConfig file, which is used for connecting to Kubernetes. .config6: imported backup of the encrypted Kubernetes KubeConfig file. |
Parameter |
Type |
Default Value |
Description |
|---|---|---|---|
-kubeConfig |
String |
None |
Path of the KubeConfig file to be imported. |
-cpt |
String |
rc |
Name of the component whose certificate is imported. rc indicates Resilience Controller. |
-encryptAlgorithm |
Integer |
9 |
Encryption algorithm for private key passwords:
NOTE:
Invalid values are reset to the default value. |
-version |
Bool |
false |
Resilience Controller version query. |
-n |
Bool |
false |
Whether to delete the KubeConfig file after it is imported.
|
-logFile |
String |
/var/log/mindx-dl/cert-importer/cert-importer.log |
Path for storing the tool run logs. NOTE:
Dumped files are named in the format of "cert-importer-dump triggering time.log", for example, cert-importer-2023-10-07T03-38-24.402.log. |
-updateMk |
Bool |
false |
Whether to update the master key of the KMC encryption component.
|
-updateRk |
Bool |
false |
Whether to update the root key of the KMC encryption component.
|
-h or --help |
None |
None |
Help information. |