K8S Certificates: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
m Adding CA Creation |
||
| Line 1: | Line 1: | ||
=== CA Creation === | |||
<syntaxhighlight lang="bash"> | |||
{ | |||
cat > ca-config.json <<EOF | |||
{ | |||
"signing": { | |||
"default": { | |||
"expiry": "8760h" | |||
}, | |||
"profiles": { | |||
"kubernetes": { | |||
"usages": ["signing", "key encipherment", "server auth", "client auth"], | |||
"expiry": "8760h" | |||
} | |||
} | |||
} | |||
} | |||
EOF | |||
cat > ca-csr.json <<EOF | |||
{ | |||
"CN": "Kubernetes", | |||
"key": { | |||
"algo": "rsa", | |||
"size": 2048 | |||
}, | |||
"names": [ | |||
{ | |||
"C": "US", | |||
"L": "Portland", | |||
"O": "Kubernetes", | |||
"OU": "CA", | |||
"ST": "Oregon" | |||
} | |||
] | |||
} | |||
EOF | |||
cfssl gencert -initca ca-csr.json | cfssljson -bare ca | |||
} | |||
</syntaxhighlight> | |||
=== Foo === | === Foo === | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
Revision as of 04:44, 1 June 2021
CA Creation
{
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
}
Foo
for instance in us-wrk-01 us-wrk-02 us-wrk-03 us-wrk-04; do
cat > ${instance}-csr.json <<EOF
{
"CN": "system:node:${instance}",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Nashville",
"O": "system:nodes",
"OU": "8 Bit Kubernetes",
"ST": "Tennessee"
}
]
}
EOF
EXTERNAL_IP=$(dig +short ${instance}.node.8bitwizard.net)
INTERNAL_IP=${instance}.node.8bitwizard.net
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=${instance},${INTERNAL_IP},${EXTERNAL_IP} \
-profile=kubernetes \
${instance}-csr.json | cfssljson -bare ${instance}
done
Foo
KUBERNETES_PUBLIC_ADDRESS=10.1.10.6
KUBERNETES_HOSTNAMES=us-ctrl-01,us-ctrl-01.nodes.8bitwizard.net,us-ctrl-02,us-ctrl-02.nodes.8bitwizard.net,us-k8s.svc.8bitwizard.net,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local
cat > kubernetes-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Nashville",
"O": "Kubernetes",
"OU": "8 Bit Kubernetes",
"ST": "Tennessee"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=10.1.42.1,10.1.20.13,10.1.20.14,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,${KUBERNETES_HOSTNAMES} \
-profile=kubernetes \
kubernetes-csr.json | cfssljson -bare kubernetes