Rotate package validation certificate

This page describes how to rotate the root certificate authority used for package validation in Google Distributed Cloud (GDC) air-gapped appliance

GDC package validation uses a root certificate authority (CA) to validate release key certificates. This makes it critical to rotate the root CA certificate periodically. You must rotate the root CA if you are instructed to do so through a release notice or the warning message that may be displayed as you perform an upgrade.

Before you begin

To rotate the package validation certificate, you must have the necessary identity and access roles:

• Ensure that you have write access to package-validation-root-certs ConfigMap.
• Ask your Security Admin to grant you the Upgrade Debugger (upgrade-debugger-cp) role.

Verify certificate rotation is required

Verify a package validation certificate rotation is required before performing the operation:

1. Set the KUBECONFIG environment variable:

   $ KUBECONFIG=PATH_TO_KUBECONFIG_FILE
   

   Replace PATH_TO_KUBECONFIG_FILE with the path to the kubeconfig file that you obtained by running gdcloud auth login in the root admin cluster.

2. Determine if an upgrade is required by comparing the current trust anchor to the latest trust anchor. The ConfigMap data at harbor-system/package-validation-root-certs is compared against the local trust anchor:

   $ CURRENT_TRUST_ANCHOR=$(kubectl  --kubeconfig=$KUBECONFIG get cm package-validation-root-certs -n harbor-system -o jsonpath='{.data.ca\.crt}')
   
   $ LATEST_TRUST_ANCHOR=$(cat /root/release/staging_root_ca_certificate.crt)
   
   $ diff <( echo "$CURRENT_TRUST_ANCHOR" ) <( echo "$LATEST_TRUST_ANCHOR" ) && echo trust anchors are same  || echo trust anchors are different, upgrade required!
   

Perform certificate rotation and upgrade on the appliance

Perform the following steps to rotate the ConfigMap object located at harbor-system/package-validation-root-certs in the root admin cluster. The Infrastructure Operator needs write access to the ConfigMap.

1. Create and assign values to the following variables:

   USERNAME=USER_NAME #IO
   TARGET_FOLDER=/tmp/${USERNAME}
   OUTPUT="${TARGET_FOLDER}/package-validation-root-certs.yaml"
   LATEST_TRUST_ANCHOR_CA_FILE=/root/release/staging_root_ca_certificate.crt
   CONFIGMAP_NAME=package-validation-root-certs
   NAMESPACE=harbor-system
   

   Replace USER_NAME with the IO username.

2. Create the target folder that will contain the output files from the certificate rotation process:

   mkdir -p "${TARGET_FOLDER}"
   

3. Update and replace the value of LATEST_TRUST_ANCHOR:

     cat <<EOF  > "${OUTPUT}"
     apiVersion: v1
     kind: ConfigMap
     metadata:
       name: ${CONFIGMAP_NAME}
       namespace: ${NAMESPACE}
     data:
       ca.crt: |
     $(sed 's/^/    /' "${LATEST_TRUST_ANCHOR_CA_FILE}")
     EOF
   

4. Apply the new configuration with kubectl:

     kubectl apply -f ${OUTPUT}
   

5. Ensure that the newly applied ca.crt is present within the ConfigMap:

     kubectl describe configmap package-validation-root-certs -n harbor-system
   

This takes care of rotating a new certificate in the package-validation-root-cert.