deads2k
diff --git a/‎tls/README.md‎
Lines changed: 26 additions & 5 deletions b/‎tls/README.md‎
Lines changed: 26 additions & 5 deletions
diff --git a/‎tls/docs/Aggregated API Server Certificates/README.md‎
Lines changed: 4 additions & 4 deletions b/‎tls/docs/Aggregated API Server Certificates/README.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎tls/docs/Aggregated API Server Certificates/cert-flow.dot‎
Lines changed: 6 additions & 6 deletions b/‎tls/docs/Aggregated API Server Certificates/cert-flow.dot‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎tls/docs/Aggregated API Server Certificates/cert-flow.json‎
Lines changed: 47 additions & 47 deletions b/‎tls/docs/Aggregated API Server Certificates/cert-flow.json‎
Lines changed: 47 additions & 47 deletions
diff --git a/‎tls/docs/Aggregated API Server Certificates/cert-flow.png‎
-11.3 KB b/‎tls/docs/Aggregated API Server Certificates/cert-flow.png‎
-11.3 KB
diff --git a/‎tls/docs/Aggregated API Server Certificates/cert-flow.svg‎
Lines changed: 26 additions & 26 deletions b/‎tls/docs/Aggregated API Server Certificates/cert-flow.svg‎
Lines changed: 26 additions & 26 deletions
diff --git a/‎tls/docs/Aggregated API Server Certificates/subca-668341161.dot‎
Lines changed: 2 additions & 2 deletions b/‎tls/docs/Aggregated API Server Certificates/subca-668341161.dot‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎tls/docs/Aggregated API Server Certificates/subca-668341161.png‎
-14 KB b/‎tls/docs/Aggregated API Server Certificates/subca-668341161.png‎
-14 KB
diff --git a/‎tls/docs/Aggregated API Server Certificates/subcert-aggregator-signer3491090056197643081.png‎
111 KB b/‎tls/docs/Aggregated API Server Certificates/subcert-aggregator-signer3491090056197643081.png‎
111 KB
diff --git a/‎tls/docs/Aggregated API Server Certificates/subcert-aggregator-signer3783714127421522860.png‎
111 KB b/‎tls/docs/Aggregated API Server Certificates/subcert-aggregator-signer3783714127421522860.png‎
111 KB
@@ -3,12 +3,33 @@ It may change over time and is not guaranteed to be stable.
 This is a useful starting point for understanding the cert chains in openshift used to secure kubernetes.
 
 1. Build an image to collect the certs, keys, and ca bundles from the host.
-   1. Something like `docker build pkg/cmd/locateinclustercerts/ -t docker.io/deads2k/cert-collection:latest -f Dockerfile`
+   1. Something like `docker build pkg/cmd/locateinclustercerts/ -t docker.io/$USER/locateinclustercerts:latest -f Dockerfile`
    2. Push to dockerhub
 2. Gather data.
    1. `oc adm inspect clusteroperators` -- this will gather all the in-cluster certificates and ca bundles
-   2. run pods on the masters.  Something like `oc debug --image=docker.io/deads2k/cert-collection:08 node/ci-ln-z2l4snt-f76d1-prqp5-master-2`
+   2. run pods on the masters.  Something like:
+
+```bash
+NODE=$(kubectl get nodes | grep master | head -n1 | awk '{ print $1 }') \
+    IMAGE=$(podman image list --sort created | grep locateinclustercerts | awk '{ print $1 ":" $2 }') \
+    oc debug --image=$IMAGE node/$NODE
+```
+
    3. in those pods, run `master-cert-collection.sh` to collect the data from the host.  Leave the pod running after completion.
-   4. pull the on-disk data locally. Something like `oc rsync ci-ln-z2l4snt-f76d1-prqp5-master-2-debug:/must-gather ../sample-data/master-2/`
-3. Be sure dot is installed locally
-4. Run code like `kubectl-dev_tool certs locate-incluster-certs --local -f ../sample-data/ --additional-input-dir ../sample-data/ -odoc` to produce the doc.
+   4. pull the on-disk data locally. Something like:
+
+```bash
+POD=$(kubectl get pods -A | rg debug | awk '{ print $2 }') \
+   oc rsync $POD:/must-gather .
+```
+
+
+    5. Be sure dot is installed locally
+    6. To produce the doc, use something like: 
+
+
+```bash
+INSPECT_DIR=$(find . -name 'inspect.local.*') \
+    kubectl-dev_tool certs locate-incluster-certs --local -f $INSPECT_DIR --additional-input-dir ./must-gather -odoc
+```
+
@@ -17,15 +17,15 @@ Used to secure connections between the kube-apiserver and aggregated API Servers
 
 
 ### aggregator-front-proxy-signer
-![PKI Graph](subcert-aggregator-signer8209157924322867463.png)
+![PKI Graph](subcert-aggregator-signer3783714127421522860.png)
 
 Signer for the kube-apiserver to create client certificates for aggregated apiservers to recognize as a front-proxy.
 
 | Property | Value |
 | ----------- | ----------- |
 | Type | Signer |
 | CommonName | aggregator-signer |
-| SerialNumber | 8209157924322867463 |
+| SerialNumber | 3783714127421522860 |
 | Issuer CommonName | [aggregator-front-proxy-signer](#aggregator-front-proxy-signer) |
 | Validity | 24h |
 | Signature Algorithm | SHA256-RSA |
@@ -50,15 +50,15 @@ Signer for the kube-apiserver to create client certificates for aggregated apise
 
 
 ### aggregator-front-proxy-client
-![PKI Graph](subcert-systemopenshift-aggregator8112884492387709090.png)
+![PKI Graph](subcert-systemopenshift-aggregator2634640073442595002.png)
 
 Client certificate used by the kube-apiserver to communicate to aggregated apiservers.
 
 | Property | Value |
 | ----------- | ----------- |
 | Type | Client |
 | CommonName | system:openshift-aggregator |
-| SerialNumber | 8112884492387709090 |
+| SerialNumber | 2634640073442595002 |
 | Issuer CommonName | [aggregator-front-proxy-signer](#aggregator-front-proxy-signer) |
 | Validity | 23h |
 | Signature Algorithm | SHA256-RSA |
 
@@ -1,14 +1,14 @@
 digraph "OpenShift Certificates" {
   // Node definitions.
   0 [
-    label="certkeypair/aggregator-front-proxy-signer\n\nsecret/aggregator-client-signer -nopenshift-kube-apiserver-operator\n"
+    label="certkeypair/aggregator-front-proxy-client\n\nsecret/aggregator-client -nopenshift-kube-apiserver\n    file:///etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt/tls.crt,file:///etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt/tls.key\n"
     style=filled
-    fillcolor="#c7bfff"
+    fillcolor="#c8fbcd"
   ];
   1 [
-    label="certkeypair/aggregator-front-proxy-client\n\nsecret/aggregator-client -nopenshift-kube-apiserver\n    file:///etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt/tls.crt,file:///etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt/tls.key\n"
+    label="certkeypair/aggregator-front-proxy-signer\n\nsecret/aggregator-client-signer -nopenshift-kube-apiserver-operator\n"
     style=filled
-    fillcolor="#c8fbcd"
+    fillcolor="#c7bfff"
   ];
   2 [
     label="cabundle/aggregator-front-proxy-ca\n\nconfigmaps/kube-apiserver-aggregator-client-ca -nopenshift-config-managed\n    configmaps/aggregator-client-ca -nopenshift-kube-apiserver\n    configmaps/aggregator-client-ca -nopenshift-kube-controller-manager\n    file:///etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt/ca-bundle.crt\n    file:///etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt/ca-bundle.crt\n"
@@ -17,6 +17,6 @@ digraph "OpenShift Certificates" {
   ];
 
   // Edge definitions.
-  0 -> 1;
-  0 -> 2;
+  1 -> 0;
+  1 -> 2;
 }
@@ -42,7 +42,7 @@
             {
               "CertIdentifier": {
                 "CommonName": "aggregator-signer",
-                "SerialNumber": "8209157924322867463",
+                "SerialNumber": "3783714127421522860",
                 "Issuer": {
                   "CommonName": "aggregator-signer",
                   "SerialNumber": "",
@@ -70,54 +70,10 @@
   },
   "CertKeyPairs": {
     "Items": [
-      {
-        "LogicalName": "aggregator-front-proxy-signer",
-        "Description": "Signer for the kube-apiserver to create client certificates for aggregated apiservers to recognize as a front-proxy.",
-        "Name": "aggregator-signer::8209157924322867463",
-        "Spec": {
-          "SecretLocations": [
-            {
-              "Namespace": "openshift-kube-apiserver-operator",
-              "Name": "aggregator-client-signer"
-            }
-          ],
-          "OnDiskLocations": null,
-          "CertMetadata": {
-            "CertIdentifier": {
-              "CommonName": "aggregator-signer",
-              "SerialNumber": "8209157924322867463",
-              "Issuer": {
-                "CommonName": "aggregator-signer",
-                "SerialNumber": "",
-                "Issuer": null
-              }
-            },
-            "SignatureAlgorithm": "SHA256-RSA",
-            "PublicKeyAlgorithm": "RSA",
-            "PublicKeyBitSize": "2048 bit",
-            "ValidityDuration": "24h",
-            "Usages": [
-              "KeyUsageDigitalSignature",
-              "KeyUsageKeyEncipherment",
-              "KeyUsageCertSign"
-            ],
-            "ExtendedUsages": []
-          },
-          "Details": {
-            "CertType": "SignerCertDetails",
-            "SignerDetails": {},
-            "ServingCertDetails": null,
-            "ClientCertDetails": null
-          }
-        },
-        "Status": {
-          "Errors": null
-        }
-      },
       {
         "LogicalName": "aggregator-front-proxy-client",
         "Description": "Client certificate used by the kube-apiserver to communicate to aggregated apiservers.",
-        "Name": "system:openshift-aggregator::8112884492387709090",
+        "Name": "system:openshift-aggregator::2634640073442595002",
         "Spec": {
           "SecretLocations": [
             {
@@ -146,7 +102,7 @@
           "CertMetadata": {
             "CertIdentifier": {
               "CommonName": "system:openshift-aggregator",
-              "SerialNumber": "8112884492387709090",
+              "SerialNumber": "2634640073442595002",
               "Issuer": {
                 "CommonName": "aggregator-signer",
                 "SerialNumber": "",
@@ -177,6 +133,50 @@
         "Status": {
           "Errors": null
         }
+      },
+      {
+        "LogicalName": "aggregator-front-proxy-signer",
+        "Description": "Signer for the kube-apiserver to create client certificates for aggregated apiservers to recognize as a front-proxy.",
+        "Name": "aggregator-signer::3783714127421522860",
+        "Spec": {
+          "SecretLocations": [
+            {
+              "Namespace": "openshift-kube-apiserver-operator",
+              "Name": "aggregator-client-signer"
+            }
+          ],
+          "OnDiskLocations": null,
+          "CertMetadata": {
+            "CertIdentifier": {
+              "CommonName": "aggregator-signer",
+              "SerialNumber": "3783714127421522860",
+              "Issuer": {
+                "CommonName": "aggregator-signer",
+                "SerialNumber": "",
+                "Issuer": null
+              }
+            },
+            "SignatureAlgorithm": "SHA256-RSA",
+            "PublicKeyAlgorithm": "RSA",
+            "PublicKeyBitSize": "2048 bit",
+            "ValidityDuration": "24h",
+            "Usages": [
+              "KeyUsageDigitalSignature",
+              "KeyUsageKeyEncipherment",
+              "KeyUsageCertSign"
+            ],
+            "ExtendedUsages": []
+          },
+          "Details": {
+            "CertType": "SignerCertDetails",
+            "SignerDetails": {},
+            "ServingCertDetails": null,
+            "ClientCertDetails": null
+          }
+        },
+        "Status": {
+          "Errors": null
+        }
       }
     ]
   }
 
@@ -1,6 +1,6 @@
 digraph "Local Certificate" {
   // Node definitions.
-  0 [
+  1 [
     label="certkeypair/aggregator-front-proxy-signer\n\nsecret/aggregator-client-signer -nopenshift-kube-apiserver-operator\n"
     style=filled
     fillcolor="#c7bfff"
@@ -12,5 +12,5 @@ digraph "Local Certificate" {
   ];
 
   // Edge definitions.
-  0 -> 2;
+  1 -> 2;
 }