Documentation

Importing a Certificate and KubeConfig File

The import tool cert-importer exists in the software package of each component.

  • For details about how to import an HTTPS certificate, see Importing an HTTPS Certificate.

    After an HTTPS certificate is imported, the integration party needs to implement the certificate expiration alarm function. In addition, you are advised to periodically update the certificate. If you do not need to import a certificate, skip this section.

  • For details about how to import a KubeConfig file, see Importing the KubeConfig File.

Import Tool Description

  • Table 1 describes the components and corresponding imported files, and Table 6 describes command options.
    Table 1 Component file description

    Component

    Type of Imported File

    Import Command Example

    Description

    NPU-Exporter

    HTTPS certificate

    ./cert-importer -certFile={certFile} -keyFile={keyFile} -caFile={caFile} -crlFile={crlFile} -cpt={component}
    • External APIs are provided. By default, the HTTPS service is enabled and a certificate needs to be imported.
      NOTE:

      You can modify the component startup parameter and run the -enableHTTP=true command to enable the HTTP service. However, you are liable for the corresponding security risks. (Only the NPU-Exporter component supports this parameter.)

    • Only X.509v3 certificates are supported, and the key usage of the root certificate must contain the certificate signature.
    • If an RSA private key is used, the length must be greater than or equal to 3072 bits. If an ECC private key is used, the length must be greater than or equal to 256 bits.

    HCCL-Controller

    KubeConfig file that connects to Kubernetes.

    ./cert-importer -kubeConfig={kubeFile} -cpt={component}
    • The token file of ServerAccount provided by Kubernetes is mounted to the physical machine, which has exposure risks. You can import the encrypted KubeConfig file to replace ServerAccount for security hardening.
    • The Ascend Device Plugin is started in binary mode and does not have the permission to access Kubernetes. Therefore, you need to import the encrypted KubeConfig file for access authorization.

    NodeD

    Resilience-Controller

    Ascend Device Plugin
  • Table 2 lists the tool operations.
    Table 2 Operation description

    Operation

    Description

    Addition

    Import a certificate, private key, or KubeConfig file.

    Update

    Import a new certificate, private key, or KubeConfig file to replace the original one.

    After the import, restart the service component for the file to take effect. The file validity period must match the product lifecycle, which cannot be too long or too short. Otherwise, services may be interrupted due to service component restart.
  • By default, after the private key certificate is imported, the tool automatically deletes the private key and KubeConfig authorization file. You can use the -n parameter to disable the automatic deletion function. If they are not automatically deleted, you must keep the corresponding configuration files secure. If the files are no longer used, delete the sensitive information, such as the private key and encrypted ciphertext immediately to prevent information leakage.
  • The imported files such as certificates are re-encrypted and stored in the /etc/mindx-dl directory. For details, see Table 5.
  • If 3.0.RC3 or a later version is downgraded to an earlier version, you need to manually delete the files in the /etc/mindx-dl/ directory and use the cert-importer tool of an earlier version to import the certificate again.
  • The system must have sufficient random pools for certificate import tool encryption. If the random pools are insufficient, the programs may be blocked. In this case, the haveged component is a feasible solution.

    Installation commands are as follows:

    • CentOS-like OSs: yum install haveged -y
    • Ubuntu-like OSs: apt install haveged -y

Importing an HTTPS Certificate

  1. Log in to the server where each component is to be installed as the root user. For details, see Component Installation Positions.
  2. Go to the decompression path of the component installation package and add the lib folder to the environment variable LD_LIBRARY_PATH in the current window, which does not need to be persisted or inherited to other users. (Configure the path of the .so file related to the encryption component for the certificate import tool.)
    export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:`pwd`/lib/
  3. Use the cert-importer tool in the directory where the installation package is decompressed to import the certificate. The following is a command example for importing the certificate. For details about the command options, see Table 6.
    ./cert-importer -certFile=/xxx/server.crt -keyFile=/xxx/server.key -caFile=/xxx/ca.crt -crlFile=/xxx/server.crl -cpt=ne
    Table 3 Certificates to be imported

    Certificate to Be Imported

    Authentication Mode

    Description

    -certFile (service certificate), -keyFile (service private key)

    One-way authentication
    • When an encrypted private key is imported, the private key decryption password is required.
    • A certificate is required for every node where the NPU-Exporter is installed by default. If no certificate is available, the NPU-Exporter cannot be started.

    -certFile (service certificate), -keyFile (service private key), -caFile (peer root certificate), -crlFile (offline CRL; optional)

    Two-way authentication

Importing the KubeConfig File

  1. Generate the KubeConfig file: Pull the createKubeConfig.sh file from the MindX-Deploy repository to the Kubernetes master node and run the following command to generate the KubeConfig file of each component:
    bash createKubeConfig.sh  https://<masterIP>:6443

    If an error occurs when you run the preceding command, run the following command and try again:

    unset LD_LIBRARY_PATH
  2. Place the KubeConfig file of each component in the /etc/kubernetes/mindxdl directory on the Kubernetes master node to any directory on the node where the component is installed, for example, /etc/kubernetes/mindxdl.
  3. Go to the decompression path of the component installation package on each node and add the lib folder to the environment variable LD_LIBRARY_PATH in the current window, which does not need to be persisted or inherited to other users. (Configure the path of the .so file related to the encryption component for the certificate import tool.)
    export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:`pwd`/lib/
  4. Import the KubeConfig configuration file of each component to each node by running the commands listed in the following table. For details about the command options, see Table 6.
    Table 4 Commands for importing the KubeConfig file of each component

    Component

    Command

    HCCL-Controller

    ./cert-importer -kubeConfig=/etc/kubernetes/mindxdl/hccl-controller-cfg.conf -cpt=hc

    NodeD

    ./cert-importer -kubeConfig=/etc/kubernetes/mindxdl/noded-cfg.conf -cpt=nd

    Ascend Device Plugin

    ./cert-importer -kubeConfig=/etc/kubernetes/mindxdl/device-plugin-cfg.conf -cpt=dp

    Resilience-Controller

    ./cert-importer -kubeConfig=/etc/kubernetes/mindxdl/resilience-controller-cfg.conf -cpt=rc
Table 5 Certificate configuration files of each cluster scheduling component

Component

Configuration File Directory

Directory and File Owner

Configuration File Description

Root directory related to cluster scheduling component certificates

/etc/mindx-dl/

hwMindX:hwMindX

kmc_primary_store/master.ks: automatically generated main material. Do not delete it.

.config/backup.ks: automatically generated backup material. Do not delete it.

NPU-Exporter

/etc/mindx-dl/npu-exporter/

.config/config1: encrypted private key file that has been imported. If it is deleted, HTTPS cannot be enabled.

.config/config2: service certificate file that has been imported. If it is deleted, HTTPS cannot be enabled.

.config/config3: peer-end root certificate file that has been imported. If it is deleted or does not exist, one-way authentication is enabled. Otherwise, two-way authentication is enabled.

.config/config4: certificate revocation list (CRL) file that has been imported. After two-way authentication is enabled, the program checks the CRL on the client.

.config/config5: automatically generated password ciphertext file for encrypting the private key.

.conf: backup of the automatically generated password ciphertext file for encrypting the private key.

.config1: imported backup of the encrypted private key file.

.config2: imported backup of the service certificate file.

.config3: imported backup of the peer-end root certificate file.

.config4: imported backup of the CRL file.

HCCL_Controller

/etc/mindx-dl/hccl-controller/

.config/config6: imported Kubernetes KubeConfig file which is encrypted and is used to connect to Kubernetes.

.config6: imported backup of the encrypted Kubernetes KubeConfig file.

NodeD

/etc/mindx-dl/noded/

Resilience-Controller

/etc/mindx-dl/resilience-controller/

Ascend Device Plugin

/etc/mindx-dl/device-plugin/
Table 6 Parameters of the certificate import tool

Parameter

Type

Default Value

Description

-keyFile

string

None

Path of the service private key. It cannot be left empty.

-certFile

string

None

Path of the service certificate. It cannot be left empty.

-crlFile

string

None

Path of the CRL. This parameter is optional.

-caFile

string

None

Path of the peer-end root certificate file. You need to import this file only for two-way authentication.

-kubeConfig

string

None

Path for importing the KubeConfig file.

-cpt

string

ne

Name of the component to which the certificate is imported:

  • ne: NPU-Exporter
  • hc: HCCL-Controller
  • nd: NodeD
  • dp: Ascend Device Plugin
  • rc: Resilience-Controller

-encryptAlgorithm

int

9

Encryption algorithm for private key passwords:

  • 8: AES128GCM
  • 9: AES256GCM
    NOTE:

    Invalid values are reset to the default value.

-version

bool

false

Whether to print the program version number.

-n

bool

false

By default, sensitive files such as the private key and KubeConfig file are deleted after the import is successful. If this parameter is set to true, automatic deletion is disabled.

-logFile

string

/var/log/mindx-dl/cert-importer/cert-importer.log

Path for storing the tool run logs.

-updateMk

bool

false

If the value is true, the master key of the KMC encryption component is updated immediately.

-updateRk

bool

false

If the value is true, the root key of the KMC encryption component is updated immediately.

-h

None

N/A

Help information.
Parent topic: Common Operations