Currently, fedora-image-uploader authenticates to Azure via a token. Azure also supports authenticating via client certificate. I'd like to switch over to certificates since the tokens default to expiring fairly frequently. The steps required to do this are:
fedora-image-uploader
openssl req -x509 -new -nodes -sha256 -days 3650 \ -addext "extendedKeyUsage = clientAuth" \ -subj "/CN=fedora-image-uploader" \ -newkey rsa:4096 \ -keyout fedora-image-uploader.key.pem \ -out fedora-image-uploader.cert.pem # The clients want the certificate and key in a single file: cat fedora-image-uploader.key.pem fedora-image-uploader.cert.pem > fedora-image-uploader-key-and-cert.pem
Unfortunately it seems Azure requires it to be RSA. In the above example the cert is good for 10 years which might be too extreme, but whatever the admins are comfortable with is okay with me. The subject doesn't seem to matter either. Whatever the normal process is for generating a client cert and key is fine.
# The ID here is from the application registration in Microsoft Entra az ad app credential reset --id fb48a308-6b5d-4b1a-93bb-461ff7cc007c --append \ --display-name "Fedora Image Uploader" \ --cert "@./fedora-image-uploader.cert.pem"
31902398-d12a-4357-91fc-b2a1f0b3d794
az ad app list -o table
Finally, I'll need to adjust the OpenShift playbook to mount the key, so I'll need to know what the path is for secret_file_privatefile.
secret_file_privatefile
I manually set the current token to expire in September of 2026, so some time before that. This is in no way urgent, I just recently had to walk through setting up a certificate so I figured I should write all this down rather than forgetting until next year some time.
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-trouble, medium-gain
I'm a bit confused here... what CA is expected to issue this cert?
It can actually be self-signed, the CA does not matter. It'd make a lot of sense if you could register a CA and it pulled the service principal from a field on the cert, but... It's possible I'm just missing some panel, but I don't think that's possible.
Sorry this has lanugished. ;(
Did you want to use the same cert/key for staging as prod? or seperate?
The prod key is in {{ ansible_private }}files/cloud-image-uploader/fedora-image-uploader.key.pem
and the pub cert is:
-----BEGIN CERTIFICATE----- MIIFNjCCAx6gAwIBAgIULi2MHz+7QamZ+DtCfX0Eaxu38PowDQYJKoZIhvcNAQEL BQAwIDEeMBwGA1UEAwwVZmVkb3JhLWltYWdlLXVwbG9hZGVyMB4XDTI1MTAyMjIy MjAyM1oXDTM1MTAyMDIyMjAyM1owIDEeMBwGA1UEAwwVZmVkb3JhLWltYWdlLXVw bG9hZGVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxlvl1H9Qlkkz SUmKmKqurENv49GLLB+8JqnfDJuQGzRLuhne7dQh8XbQ9BkIfzio+dFSyDi+yXpz yRCwoa2Q+paD31Gd5Nb6TbLhEnvGSosE6HSlmncAzj6ZBrQrrLeD1dG/51KVzV8C +oK7b5po5ep1EBmqGSpHsCZ16T7qa4keYPNRRzO1fVia8H/3YQToFwGGhFdTAxMY Azn5G70KaBxxhAtsqf1TPn+6EhI3j2fg7sgACbL77Q1jBuNYCdklRhgIRDufK5Hs pLuFn2CoxmGjOydxHikMMf59CpZ2A5b+TtSIGSH4UbXHcZJQkim0x0eTWhRlYIAP dwwGcBLHfJ2E7p37RQ1OrjMLhGUboryX3I7hv6wX6rDmJc5xYILWVdosndI+AkVM 9cZtp5v2KtttTTjlbp9AdgdUN04zK/ZPVZGqtn0cISKPZmL8wqiJdtiJqp1VQVfM vGtomsHzQKUDfCNcrUrehRMicK/9mtX8yZ6Nj1PguMjjzL/+etm71KhEqbwh9O5A 5wbOnDAl//NiyyU5kJ12DNjdrvFDBD26GVlG3hDABbcmxbogEW+zYu35iCUoBmLr P8UmYLDFbrzI30eJceGE9J5jlw0N98COicazF7YrC2/7/qFvHOikCWXhOc/do2p4 3WV3tk49HbU6jTxXd03D3qnF2GUdaEECAwEAAaNoMGYwHQYDVR0OBBYEFHFDOb8W sIhf4TZFwMv/BD/OgyoDMB8GA1UdIwQYMBaAFHFDOb8WsIhf4TZFwMv/BD/OgyoD MA8GA1UdEwEB/wQFMAMBAf8wEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcN AQELBQADggIBACSlgUd6x5wtYeFJr1rIEFM1+xlFemcvgNBARzxt5gDGsk6QdRyK c6n8ZGCZZcUIrGbt/iDCd7sh4jwTniet31l0X6F97dxDnnM3hd+NXbmVfzkCMN22 ku8EvlY0QwnQr20RSQcgDnygldCg3bIo2m3ba3N/kKyHclb6H49CdtxQQkIVFncr kJfMdQsdA7BSCiNcjS0PZac0kqlRe+/n7bm6oQ9HsSPfW5Vf4QE/uBA45E0i4azD yQ83boWA5el3HcnnMG+4zAsafbiAjY6icY9/lY6N1j9vyUo3SokOf7J2iqhJTxl4 AVdP4bC4HEQLtYbGrBdSwENS20c6/u6ZKPM4vjbfD8jKE4RhdaSzwlpJWFr8jJiv TE5X784x3oiBMS2DMcnjtXV061VetFTS7QAbM+ZYHdXkz4WTE2GPJn3PR2D6RuYZ G9DVq1FGBC261u27bCHNeCJ+br2914Dh76ooyPDb/YULnEBe0+JjLv0dYXaLxBlu ZHA3bpwG4v3YOjtV33u2phOor8bBzmADeGLW7rDQzpuwdk+xToh/KAKGfpcz/SqH 8IqRbrUxGQVgjLc4piKZSZ0qIW1I7Hm6mQ3DMuu60PPinw14e17sT/4bwImRttkG i/MPW/QjgCmdSN8LSnai2M+HdbL1fBc+O7jv0INv3A/8iCMOeojDcNJH -----END CERTIFICATE-----
Thanks, and no worries about it languishing.
Having a separate staging key would be great if it's not too much trouble.
Metadata Update from @kevin: - Issue assigned to kevin
ok, the stg one is here.
It's in private as {{ ansible_private }}files/cloud-image-uploader/fedora-image-uploader.stg.key.pem
-----BEGIN CERTIFICATE----- MIIFPjCCAyagAwIBAgIUHzLsQlW2H8mIRkDs+MPgjNYWIKswDQYJKoZIhvcNAQEL BQAwJDEiMCAGA1UEAwwZZmVkb3JhLWltYWdlLXVwbG9hZGVyLnN0ZzAeFw0yNTEx MDYyMjI3MDdaFw0zNTExMDQyMjI3MDdaMCQxIjAgBgNVBAMMGWZlZG9yYS1pbWFn ZS11cGxvYWRlci5zdGcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC5 qd+C1bBYF/CLXLtbPOpfTDsHSj60zYvfUOFS9oaa/q6mjdmjXXVXh0MPMFmFS/7f tIiOuZAMNplaWnBtAj6fyb+D8mLBESCkkbWWsU4LvR9BvH4hksdvsMMBrURK4dbv uSouIrP7IIS5e1Wzgq89cOFxVcM4nCjwYgJ9VuYaxssTeBT7f1q8ov7va8ZSyKX4 /nLymG0Ivcg4NYbtWulx0GQMNSK2oe4eiVMieygtm1fVpbjQ7ukQ2HS+geZQxfnw 7oWN88+LDOevpVhgahu97k7JzubEXcAKwlrffkD6eZQ5ijjwc6HHEXlwsyvVIvOw dP+PFwKhckUlIER5wbcYoltFkHh/mwIq3h+k0mnuDeNsdys/nqnr2sW4OK6uK5Fu ei7XJyS4pu0Mpqc9TXpbpID2H3MXbyBQs/zU7zpSTtNUtloJCBMQy4IPPpL54WFp VX/3V7FoRJPNcdzG630pjONT1U7IOWC8uyWC2e2GCtIu+sHSr7ZqafnmlwT3w47h SpXRtKlNLC9/fePZz1PXTQDkGQjwPq4LG4lWlFUEOVT7vPwRwAeO88E42VEdVXj8 IxUvAkI/rMY8wGRLRsuHHfogAvH7wzDgffi6CDKJDO6F9vMRH6U4xtILBTisL2Mm sK/vaP2dZrUbr8CCy/hIw6YQVgoD8Ab5/hMLnHFt3QIDAQABo2gwZjAdBgNVHQ4E FgQUnXFAkp4xH1CdWEgAVQVgBoXxns4wHwYDVR0jBBgwFoAUnXFAkp4xH1CdWEgA VQVgBoXxns4wDwYDVR0TAQH/BAUwAwEB/zATBgNVHSUEDDAKBggrBgEFBQcDAjAN BgkqhkiG9w0BAQsFAAOCAgEAjLMyXIIqf3cpN7u+3UHJncf11PhTuohSmdoXPtWe gSBJjSEyhQTC+p6pgVNAqyZHxCij8E/sk+1etYc3iSPfV6FSnx56HgqkEAUGJvdA 1ZMczlPtB7COvAf0TJz14c8X/UXnxTn2dNm3z2FatbRIai+pXGr0i7F8SJDL2FS+ tqQBRwPD7A8RjUPRQqo2QrkyXTnZTZIYkPeN19u5G7PxiqjP5Tm2Z7LAsHBxkPwX h2Yh2V6Xi77l1SDC/iNZBS8YMF1MB7ZBaL9JMfnzGOlCTBJB9BxT1SQBW7rq6W9X E6e+u+Koaw3kd4P5gQ8YCM2JAn9ixLkUqbX0vSWfRYxCKW1pDIkjV1MB2r+jm4Ni G7+HAR13DV+5Ow1iBOfjiPw5htRG1WHmOTukvtZJWvemm8fdq712UT+84lXQGzP0 1QqIDZbWm6P8tY4aVueuDBy1jMUNKz5E2W+ulgOAzLJdrjiaJ/0pNhzRCBAmEXAh voYkI9o1JuQUQNlH+6JpZhJ54Kd+aKEQjxOVPalEKK2ZiGuAg7KVaOrudHeoZvla kpi8lh0wCwUEOGYAiE4/mDIsWgEt8vRp7KSgWKzYaBOwTXxa1T6wywj55sK5gbB+ 59nE8Xf/prgzoHbol6u//wCEx/hGwNmnr29PjXyVme8jEVjPCRnpU0+JjjJKRVe5 Jgc= -----END CERTIFICATE-----
ie, it has .stg in it so you can use {{ env_suffix }} with it.
Let us know if there's anything more to do here.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.