Skip to content

Commit

Permalink
docs: add more sections to documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@raczu @BbqGamer
raczu authored and BbqGamer committed Oct 27, 2023
1 parent 45861ba commit 73c1386
Show file tree
Hide file tree
Showing 17 changed files with 468 additions and 79 deletions.
Binary file added docs/assets/creating-issuer.gif
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/assets/signing-certificate.gif
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
8 changes: 8 additions & 0 deletions docs/documentation/.pages
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
nav:
- installation.md
- configuration.md
- CRDs
- certificates
- metrics
- tutorials
- troubleshooting.md
45 changes: 0 additions & 45 deletions docs/documentation/02_configuration.md
View file

This file was deleted.

3 changes: 3 additions & 0 deletions docs/documentation/CRDs/.pages
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
nav:
- issuer.md
- cluster-issuer.md
50 changes: 50 additions & 0 deletions docs/documentation/CRDs/cluster-issuer.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
weight: 4
---

# ClusterIssuer

With the `ClusterIssuer`, the definition does not differ from that presented
with `Issuer`, and the only differences are in the field `kind` and the non-existence of field
`.metadata.namespace` due to `Cluster` scope reasons.

## Resource definition

Below is an example `yaml` file containing `ClusterIssuer` definition:

```yaml title="clusterissuer.yaml"
apiVersion: certmanager.ncm.nokia.com/v1
kind: ClusterIssuer
metadata:
name: example-ncm-clusterissuer
spec:
caName: ncm-ca
caID: e1DefAscx
provisioner:
mainAPI: https://nokia-ncm.local
backupAPI: https://nokia-backup-ncm.local
httpClientTimeout: 10s
healthCheckerInterval: 1m
authRef:
name: ncm-rest-auth
namespace: ncm-ns
tlsRef:
name: ncm-tls
namespace: ncm-ns
profileId: "101"
useProfileIDForRenew: true
reenrollmentOnRenew: true
noRoot: true
chainInSigner: false
onlyEECert: true
```
!!! warning
With release `1.1.0-1.1.0` the name of some fields in `Issuer` has changed, but old names are
still supported and can be used (this applies to: `CASNAME`, `CASHREF`, `ncmSERVER`, `ncmSERVER2`, `secretName`,
`tlsSecretName`, `authNameSpace`), but they are not recommended to be used anymore.

## Fields description

As mentioned above, the `ClusterIssuer` differs practically in nothing from the `Issuer`, so the description of
`Issuer` fields and their usage is also correct for it: [issuer fields description](issuer.md#fields-description).
91 changes: 91 additions & 0 deletions docs/documentation/CRDs/issuer.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
---
weight: 3
---

# Issuer

The first thing you need to configure and create after installing ncm-issuer is `Issuer` or `ClusterIssuer`.
The `Issuer` or `ClusterIssuer` is considered as a representative of an existing certificate authority (CA)
in the NCM that will issue certificates using it.

## Resource definition

Below is an example `yaml` file containing `Issuer` definition:

```yaml title="issuer.yaml"
apiVersion: certmanager.ncm.nokia.com/v1
kind: Issuer
metadata:
name: example-ncm-issuer
namespace: ncm-ns
spec:
caName: ncm-ca
caID: e1DefAscx
provisioner:
mainAPI: https://nokia-ncm.local
backupAPI: https://nokia-backup-ncm.local
httpClientTimeout: 10s
healthCheckerInterval: 1m
authRef:
name: ncm-rest-auth
namespace: ncm-ns
tlsRef:
name: ncm-tls
namespace: ncm-ns
profileId: "101"
useProfileIDForRenew: true
reenrollmentOnRenew: true
noRoot: true
chainInSigner: false
onlyEECert: true
```
!!! warning
With release `1.1.0-1.1.0` the name of some fields in `Issuer` has changed, but old names are
still supported and can be used (this applies to: `CASNAME`, `CASHREF`, `ncmSERVER`, `ncmSERVER2`, `secretName`,
`tlsSecretName`, `authNameSpace`), but they are not recommended to be used anymore.

## Fields description

The number next to the label icon indicates from which version the fields are supported.

> :material-tag: [1.1.0-1.1.0](../../release-notes/1.1.0.md)

| Field | Description |
|:------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `.spec.caName` | Name of an existing CA in the NCM, which will be used to issue certificates |
| `.spec.caID` | Unique href (or ID) identifier for existing CA in the NCM, which will be used to issue certificates |
| `.spec.provisioner.mainAPI` | The URL to the main NCM API endpoint |
| `.spec.provisioner.backupAPI` | The URL to the backup NCM API endpoint in case of the lack of connection to the main one |
| `.spec.provisioner.httpClientTimeout` | Maximum amount of time that the HTTP client will wait for a response from NCM API before aborting the request |
| `.spec.provisioner.healthCheckerInterval` | The time interval between each NCM API health check |
| `.spec.provisioner.authRef` | Reference to a `secret` containing the credentials (user and password) needed for making requests to NCM API |
| `.spec.provisioner.tlsRef` | Reference to a `secret` containing CA bundle used to verify connections to the NCM API. If the secret reference is not specified and selected protocol is HTTPS, InsecureSkipVerify will be used. Otherwise, TLS or mTLS connection will be used, depending on provided data |

> :material-tag: [1.0.3-1.0.2](../../release-notes/1.0.3.md)

| Field | Description |
|:----------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `.spec.chainInSigner` | Determines whether certificate chain should be included in issued certificate CA field (`ca.crt` - root CA certificate + intermediate CA certificates + singing CA certificate) |
| `.spec.onlyEECert` | Determines whether only end-entity certificate should be included in issued certificate TLS field (`tls.crt`) |

> :material-tag: [1.0.1-1.0.0](../../release-notes/1.0.1.md)

| Field | Description |
|:----------------------------|:--------------------------------------------------------------------------------------------------------------------------------------|
| `.spec.reenrollmentOnRenew` | Determines whether during renewal, certificate should be re-enrolled instead of renewed |
| `.spec.profileId` | Entity profile ID in NCM |
| `.spec.noRoot` | Determines whether issuing CA certificate should be included in issued certificate CA field (`ca.crt`) instead of root CA certificate |

!!! Danger
The following fields are not recommended to be used anymore!

| Field | Description |
|:----------------------|:-------------------------------------------------------------------------------------------------------------------|
| `.spec.CASNAME` | Name of an existing CA in the NCM, which will be used to issue certificates |
| `.spec.CASHREF` | Unique HREF identifier for existing CA in the NCM, which will be used to issue certificates |
| `.spec.ncmSERVER` | The URL to the main NCM API endpoint |
| `.spec.ncmSERVER2` | The URL to the backup NCM API endpoint in case of the lack of connection to the main one |
| `.spec.SecretName` | The name of `secret` which contains the credentials (user and password) needed for making requests to NCM REST API |
| `.spec.authNameSpace` | The name of namespace in which `secret` to NCM API credentials can be found |
| `.spec.tlsSecretName` | The name of `secret` which contains CA bundle used to verify connections to the NCM API |
32 changes: 32 additions & 0 deletions docs/documentation/certificates/certificates.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Renewing or re-enrolling

When it comes to renewing or re-enrolling certificates, ncm-issuer will take care of this and
do it before the certificate expires (the renewal grace period
depends on the defined values in `Certificate` resource).

You can define what operation ncm-issuer should perform in such a case by
setting certain PK rotation policy in `Certificate` resource.

| Field | Operation | Value |
|:---------------------------------:|:-------------:|:-----------------------------:|
| `.spec.privateKey.rotationPolicy` | re-enrollment | "Always" |
| `.spec.privateKey.rotationPolicy` | renewal | "Never" or not even specified |

!!! tip
There is also an option for enforcing the re-enrollment on
renewal in the definition of `Issuer` or `ClusterIssuer` resource. To do this simply set `.spec.reenrollmentOnRenew`
to **true** in `Issuer` or `ClusterIssuer` definition.

However, you can also trigger renewal or re-enrolling operation manually using one of the commands below.

In case you have cert-manager kubectl plugin:

```bash
kubectl cert-manager renew <certificate> -n <namespace>
```

In case you use cmctl:

```bash
cmctl renew <certificate> -n <namespace>
```
46 changes: 46 additions & 0 deletions docs/documentation/configuration.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# Configuration

To make the ncm-issuer work properly, it is necessary to create few Kubernetes secrets
that contains credentials to NCM REST API and optional TLS configuration.

<figure markdown>
![installation](../assets/configuration.gif)
</figure>

## NCM REST API credentials

```bash
kubectl create secret generic \
<secret-name> \
-n <namespace> \
--from-literal=username=<username> \
--from-literal=usrPassword=<password>
```

## TLS without client authentication

```bash
kubectl create secret generic \
<secret-name> \
-n <namespace> \
--from-file=cacert=<ca-for-tls.pem>
```

## TLS with client authentication

```bash
kubectl create secret generic \
<secret-name> \
-n <namespace> \
--from-file=cacert=<ca-for-tls.pem> \
--from-file=key=<client-auth-pkey.pem> \
--from-file=cert=<client-auth-cert.pem>
```

!!! tip
To make sure that specific secret have been created correctly, you can check this
by using command:

```bash
kubectl -n <namespace> describe secrets <secret-name>
```
52 changes: 26 additions & 26 deletions docs/documentation/01_installation.md → docs/documentation/installation.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,42 +24,42 @@ The image will be automatically downloaded from public repository.

Add the Helm repository:

```bash
helm repo add nokia https://nokia.github.io/ncm-issuer/charts
```
```bash
helm repo add nokia https://nokia.github.io/ncm-issuer/charts
```

Update your local Helm chart repository cache:

```bash
helm repo update
```
```bash
helm repo update
```

Install ncm-issuer using the command:

```bash
helm install \
ncm-issuer nokia/ncm-issuer \
--create-namespace --namespace ncm-issuer
```
```bash
helm install \
ncm-issuer nokia/ncm-issuer \
--create-namespace --namespace ncm-issuer
```

On the other hand, if you did not add Helm repository, but downloaded the packaged version of ncm-issuer use:

```bash
helm install \
ncm-issuer \
--create-namespace --namespace ncm-issuer \
ncm-issuer/charts/ncm-issuer
```
```bash
helm install \
ncm-issuer \
--create-namespace --namespace ncm-issuer \
ncm-issuer/charts/ncm-issuer
```

## Using own (local or remote) registry

In case you want to use your own registry, just change the value pointing to a specific registry
in the `values.yaml` file in directory that contains Helm files. Then just repeat the steps
mentioned above.

```bash
sed -i "s|docker.io/misiektoja|<your-registry>|g" values.yaml
```
```bash
sed -i "s|docker.io/misiektoja|<your-registry>|g" values.yaml
```

!!! note
Using this command will also change the registry pointing to the image location of sidecar.
Expand All @@ -68,14 +68,14 @@ sed -i "s|docker.io/misiektoja|<your-registry>|g" values.yaml
However, if you do not know where to get image from, because you cloned the repository
just use the command:

```bash
make docker-build
```
```bash
make docker-build
```

or (if you also want to save image)

```bash
make docker-save
```
```bash
make docker-save
```

Saved image should appear in the path `./builds/ncm-issuer-images/`.
Loading

0 comments on commit 73c1386

Please sign in to comment.