K8S Certificates: Difference between revisions

From Wizard Rants
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
 
(10 intermediate revisions by one other user not shown)
Line 1: Line 1:
==Certificate Creation==
===CA Creation===
<syntaxhighlight lang="bash">
{
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "8760h"
      }
    }
  }
}
EOF
cat > ca-csr.json <<EOF
{
  "CN": "Kubernetes",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "8 Bit Computing",
      "OU": "CA",
      "ST": "Tennessee"
    }
  ]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
}
</syntaxhighlight>
===Client and Server Certificates===
====Admin Client Certificate====
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
{
cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "system:masters",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF
cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  admin-csr.json | cfssljson -bare admin
}
</syntaxhighlight>


====The Kubelet Client Certificates====
<syntaxhighlight lang="bash">
for instance in us-wrk-01 us-wrk-02 us-wrk-03 us-wrk-04; do
for instance in us-wrk-01 us-wrk-02 us-wrk-03 us-wrk-04; do
cat > ${instance}-csr.json <<EOF
cat > ${instance}-csr.json <<EOF
Line 6: Line 87:
   "CN": "system:node:${instance}",
   "CN": "system:node:${instance}",
   "key": {
   "key": {
     "algo": "rsa",
     "algo": "ecdsa",
     "size": 2048
     "size": 521
   },
   },
   "names": [
   "names": [
     {
     {
       "C": "US",
       "C": "US",
       "L": "Nashville",
       "L": "Spring Hill",
       "O": "system:nodes",
       "O": "system:nodes",
       "OU": "8 Bit Kubernetes",
       "OU": "8 Bit Computing",
       "ST": "Tennessee"
       "ST": "Tennessee"
     }
     }
Line 32: Line 113:
   ${instance}-csr.json | cfssljson -bare ${instance}
   ${instance}-csr.json | cfssljson -bare ${instance}
done
done
</syntaxhighlight>
====The Controller Manager Client Certificate====
<syntaxhighlight lang="bash">
{
cat > kube-controller-manager-csr.json <<EOF
{
  "CN": "system:kube-controller-manager",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "system:kube-controller-manager",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF
cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
}
</syntaxhighlight>
====The Kube Proxy Client Certificate====
<syntaxhighlight lang="bash">
{
cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "system:node-proxier",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF
cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-proxy-csr.json | cfssljson -bare kube-proxy
}
</syntaxhighlight>
====The Scheduler Client Certificate====
<syntaxhighlight lang="bash">
{
cat > kube-scheduler-csr.json <<EOF
{
  "CN": "system:kube-scheduler",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "system:kube-scheduler",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF
cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-scheduler-csr.json | cfssljson -bare kube-scheduler
}
</syntaxhighlight>
====The Kubernetes API Server Certificate====
<syntaxhighlight lang="bash">
{
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
  --region $(gcloud config get-value compute/region) \
  --format 'value(address)')
KUBERNETES_HOSTNAMES=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local
cat > kubernetes-csr.json <<EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "Kubernetes",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF
cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,${KUBERNETES_HOSTNAMES} \
  -profile=kubernetes \
  kubernetes-csr.json | cfssljson -bare kubernetes
}
</syntaxhighlight>
====The Service Account Key Pair====
<syntaxhighlight lang="bash">
{
cat > service-account-csr.json <<EOF
{
  "CN": "service-accounts",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "Kubernetes",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF
cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  service-account-csr.json | cfssljson -bare service-account
}
</syntaxhighlight>
===Distribute the Client and Server Certificates===
Copy the appropriate certificates and private keys to each worker instance:
<syntaxhighlight lang="bash">
for instance in worker-0 worker-1 worker-2; do
  gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/
done
</syntaxhighlight>
Copy the appropriate certificates and private keys to each controller instance:
<syntaxhighlight lang="bash">
for instance in controller-0 controller-1 controller-2; do
  gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
    service-account-key.pem service-account.pem ${instance}:~/
done
</syntaxhighlight>
===Foo===
<syntaxhighlight lang="bash">
KUBERNETES_PUBLIC_ADDRESS=10.1.10.6
KUBERNETES_HOSTNAMES=us-ctrl-01,us-ctrl-01.nodes.8bitwizard.net,us-ctrl-02,us-ctrl-02.nodes.8bitwizard.net,us-k8s.svc.8bitwizard.net,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local
cat > kubernetes-csr.json <<EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "Kubernetes",
      "OU": "8 Bit Kubernetes",
      "ST": "Tennessee"
    }
  ]
}
EOF
cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -hostname=10.1.42.1,10.1.20.13,10.1.20.14,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,${KUBERNETES_HOSTNAMES} \
  -profile=kubernetes \
  kubernetes-csr.json | cfssljson -bare kubernetes
</syntaxhighlight>
</syntaxhighlight>

Latest revision as of 03:17, 6 June 2021

Certificate Creation

CA Creation

{

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "8760h"
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF
{
  "CN": "Kubernetes",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "8 Bit Computing",
      "OU": "CA",
      "ST": "Tennessee"
    }
  ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

}

Client and Server Certificates

Admin Client Certificate

{

cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "system:masters",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  admin-csr.json | cfssljson -bare admin

}

The Kubelet Client Certificates

for instance in us-wrk-01 us-wrk-02 us-wrk-03 us-wrk-04; do
cat > ${instance}-csr.json <<EOF
{
  "CN": "system:node:${instance}",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "system:nodes",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF

EXTERNAL_IP=$(dig +short ${instance}.node.8bitwizard.net)
INTERNAL_IP=${instance}.node.8bitwizard.net

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -hostname=${instance},${INTERNAL_IP},${EXTERNAL_IP} \
  -profile=kubernetes \
  ${instance}-csr.json | cfssljson -bare ${instance}
done

The Controller Manager Client Certificate

{

cat > kube-controller-manager-csr.json <<EOF
{
  "CN": "system:kube-controller-manager",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "system:kube-controller-manager",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager

}

The Kube Proxy Client Certificate

{

cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "system:node-proxier",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-proxy-csr.json | cfssljson -bare kube-proxy

}

The Scheduler Client Certificate

{

cat > kube-scheduler-csr.json <<EOF
{
  "CN": "system:kube-scheduler",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "system:kube-scheduler",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-scheduler-csr.json | cfssljson -bare kube-scheduler

}

The Kubernetes API Server Certificate

{

KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
  --region $(gcloud config get-value compute/region) \
  --format 'value(address)')

KUBERNETES_HOSTNAMES=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local

cat > kubernetes-csr.json <<EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "Kubernetes",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,${KUBERNETES_HOSTNAMES} \
  -profile=kubernetes \
  kubernetes-csr.json | cfssljson -bare kubernetes

}

The Service Account Key Pair

{

cat > service-account-csr.json <<EOF
{
  "CN": "service-accounts",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "Kubernetes",
      "OU": "8 Bit Computing",
      "ST": "Tennessee"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  service-account-csr.json | cfssljson -bare service-account

}

Distribute the Client and Server Certificates

Copy the appropriate certificates and private keys to each worker instance: 

for instance in worker-0 worker-1 worker-2; do
  gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/
done

Copy the appropriate certificates and private keys to each controller instance: 

for instance in controller-0 controller-1 controller-2; do
  gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
    service-account-key.pem service-account.pem ${instance}:~/
done

Foo

KUBERNETES_PUBLIC_ADDRESS=10.1.10.6

KUBERNETES_HOSTNAMES=us-ctrl-01,us-ctrl-01.nodes.8bitwizard.net,us-ctrl-02,us-ctrl-02.nodes.8bitwizard.net,us-k8s.svc.8bitwizard.net,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local

cat > kubernetes-csr.json <<EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "ecdsa",
    "size": 521
  },
  "names": [
    {
      "C": "US",
      "L": "Spring Hill",
      "O": "Kubernetes",
      "OU": "8 Bit Kubernetes",
      "ST": "Tennessee"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -hostname=10.1.42.1,10.1.20.13,10.1.20.14,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,${KUBERNETES_HOSTNAMES} \
  -profile=kubernetes \
  kubernetes-csr.json | cfssljson -bare kubernetes
Retrieved from "https://wiki.8bitwizard.net/index.php?title=K8S_Certificates&oldid=193"