Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: update internal certificate documents #141

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: update internal certificate documents #141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1d845b6
fix: update internal certificate documents
holyspectral Dec 18, 2024
885a4b5
fix: update notes based on review comments
holyspectral Dec 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions docs/02.deploying/01.production/04.internal/04.internal.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@ taxonomy:
slug: /deploying/production/internal
---

:::important
NeuVector versions 5.4.2 and later must have users generate/replace internal certificates before using NeuVector.
After March 2025, NeuVector versions prior to 5.4.2 must have users generate/replace internal certificates before using NeuVector.
:::

### Internal Communication and Certificates

NeuVector includes default self-signed certificates for encryption for the Manager (console/UI access), Controller (REST API, internal), Enforcer (internal), and Scanner (internal) communications.
Expand Down Expand Up @@ -244,6 +249,34 @@ kubectl rollout status ds neuvector-enforcer-pod
```

+ Make sure the console can be accessed and controllers are all online.
</TabItem>
<TabItem value="regenerate_cert_from_builtin" label="Regenerate certificate when built-in certificate is being used">
If you didn't replace the internal certificate before and want to migrate to a new set of certificates, follow the steps below:

+ Check if you already have the internal certificate generated automatically.

```bash
kubectl get secret internal-cert -o yaml
```

If you see `tls.key`, `tls.crt` and `ca.crt` there, that means you've been using the automatically generated certificate and you can skip this section.

If you can see the secret, but cannot find these secrets, consider enabling `internal.autoRotateCert` in the helm charts override. This option will generate and rotate your internal certificate automatically.

If you don't use the automatically generated internal certificate and can't do so, follow the steps below:

+ Follow the steps in the `New certificate` tab to use a Kubernetes secret to manage the internal certificate. Instead of generating a new certificate, use the certificate, `old-ca.crt`, `old-tls.crt` and `old-tls.key`, retrieved below:

```
docker run -it --entrypoint=bash neuvector/scanner:3.654 -c "cat /etc/neuvector/certs/internal/ca.cert" > old-ca.crt
docker run -it --entrypoint=bash neuvector/scanner:3.654 -c "cat /etc/neuvector/certs/internal/cert.pem" > old-tls.crt
docker run -it --entrypoint=bash neuvector/scanner:3.654 -c "cat /etc/neuvector/certs/internal/cert.key" > old-tls.key
```

+ Make sure that all components are running without errors.

+ After that, follow the steps in `Regenerate certificate files and add SANs` tab and migrate to your own certificate.

</TabItem>
</Tabs>

Expand Down
5 changes: 5 additions & 0 deletions versioned_docs/version-5.2/02.deploying/01.production/04.internal/04.internal.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@ taxonomy:
slug: /deploying/production/internal
---

:::important
NeuVector versions 5.4.2 and later must have users generate/replace internal certificates before using NeuVector.
After March 2025, NeuVector versions prior to 5.4.2 must have users generate/replace internal certificates before using NeuVector.
:::

### Internal Communication and Certificates

NeuVector includes default self-signed certificates for encryption for the Manager (console/UI access), Controller (REST API, internal), Enforcer (internal), and Scanner (internal) communications.
Expand Down
5 changes: 5 additions & 0 deletions versioned_docs/version-5.3/02.deploying/01.production/04.internal/04.internal.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@ taxonomy:
slug: /deploying/production/internal
---

:::important
NeuVector versions 5.4.2 and later must have users generate/replace internal certificates before using NeuVector.
After March 2025, NeuVector versions prior to 5.4.2 must have users generate/replace internal certificates before using NeuVector.
:::

### Internal Communication and Certificates

NeuVector includes default self-signed certificates for encryption for the Manager (console/UI access), Controller (REST API, internal), Enforcer (internal), and Scanner (internal) communications.
Expand Down
33 changes: 33 additions & 0 deletions versioned_docs/version-5.4/02.deploying/01.production/04.internal/04.internal.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@ taxonomy:
slug: /deploying/production/internal
---

:::important
NeuVector versions 5.4.2 and later must have users generate/replace internal certificates before using NeuVector.
After March 2025, NeuVector versions prior to 5.4.2 must have users generate/replace internal certificates before using NeuVector.
:::

### Internal Communication and Certificates

NeuVector includes default self-signed certificates for encryption for the Manager (console/UI access), Controller (REST API, internal), Enforcer (internal), and Scanner (internal) communications.
Expand Down Expand Up @@ -244,6 +249,34 @@ kubectl rollout status ds neuvector-enforcer-pod
```

+ Make sure the console can be accessed and controllers are all online.
</TabItem>
<TabItem value="regenerate_cert_from_builtin" label="Regenerate certificate when built-in certificate is being used">
If you didn't replace the internal certificate before and want to migrate to a new set of certificates, follow the steps below:

+ Check if you already have the internal certificate generated automatically.

```bash
kubectl get secret internal-cert -o yaml
```

If you see `tls.key`, `tls.crt` and `ca.crt` there, that means you've been using the automatically generated certificate and you can skip this section.

If you can see the secret, but cannot find these secrets, consider enabling `internal.autoRotateCert` in the helm charts override. This option will generate and rotate your internal certificate automatically.

If you don't use the automatically generated internal certificate and can't do so, follow the steps below:

+ Follow the steps in the `New certificate` tab to use a Kubernetes secret to manage the internal certificate. Instead of generating a new certificate, use the certificate, `old-ca.crt`, `old-tls.crt` and `old-tls.key`, retrieved below:

```
docker run -it --entrypoint=bash neuvector/scanner:3.654 -c "cat /etc/neuvector/certs/internal/ca.cert" > old-ca.crt
docker run -it --entrypoint=bash neuvector/scanner:3.654 -c "cat /etc/neuvector/certs/internal/cert.pem" > old-tls.crt
docker run -it --entrypoint=bash neuvector/scanner:3.654 -c "cat /etc/neuvector/certs/internal/cert.key" > old-tls.key
```

+ Make sure that all components are running without errors.

+ After that, follow the steps in `Regenerate certificate files and add SANs` tab and migrate to your own certificate.

</TabItem>
</Tabs>

Expand Down