Provisioning a CA and Generating TLS Certificates
In this lab you will provision a PKI Infrastructure using openssl to bootstrap a Certificate Authority, and generate TLS certificates for the following components: kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy. The commands in this section should be run from the jumpbox.
Certificate Authority
In this section you will
provision a Certificate Authority that can be used to generate additional TLS
certificates for the other Kubernetes components. Setting up CA and generating
certificates using openssl can be time-consuming, especially when doing it for the first
time. To streamline this lab, I’ve included an openssl configuration file
ca.conf, which defines all the details needed to generate certificates for each
Kubernetes component.
Take a moment to review the ca.conf configuration
file:
cat ca.conf
You don’t need to understand everything in the ca.conf
file to complete this tutorial, but you should consider it a starting point for
learning openssl and the configuration that goes into managing certificates
at a high level.
Every certificate authority starts with a private key and root certificate. In this section we are going to create a self-signed certificate authority, and while that’s all we need for this tutorial, this shouldn’t be considered something you would do in a real-world production environment.
Generate the CA configuration file, certificate, and private key:
{
openssl genrsa -out ca.key 4096
openssl req -x509 -new -sha512 -noenc \
-key ca.key -days 3653 \
-config ca.conf \
-out ca.crt
}
Results:
ca.crt
ca.key
Create Client and Server Certificates
In this section you will
generate client and server certificates for each Kubernetes component and a
client certificate for the Kubernetes admin user.
Generate the certificates and private keys:
certs=(
"admin" "worker-0" "worker-1" "worker-2"
"kube-proxy" "kube-scheduler"
"kube-controller-manager"
"kube-api-server"
"service-accounts"
)
for i in ${certs[*]}; do
openssl genrsa -out "${i}.key" 4096
openssl req -new -key "${i}.key" -sha256 \
-config "ca.conf" -section ${i} \
-out "${i}.csr"
openssl x509 -req -days 3653 -in "${i}.csr" \
-copy_extensions copyall \
-sha256 -CA "ca.crt" \
-CAkey "ca.key" \
-CAcreateserial \
-out "${i}.crt"
done
The results of running the above command will generate a private key, certificate request, and signed SSL certificate for each of the Kubernetes components. You can list the generated files with the following command:
ls -1 *.crt *.key *.csr
The
kube-proxy,kube-controller-manager,kube-scheduler, andkubeletclient certificates will be used to generate client authentication configuration files in the next lab.
Distribute the Client and Server Certificates
In this section you will copy the various certificates to every machine at a path where each Kubernetes component will search for its certificate pair. In a real-world environment these certificates should be treated like a set of sensitive secrets as they are used as credentials by the Kubernetes components to authenticate to each other.
Copy the appropriate certificates and private keys to the worker-0 and other worker machines:
for host in worker-0 worker-1 worker-2; do
lxc exec ${host} -- mkdir -p /var/lib/kubelet/
lxc file push ca.crt ${host}/var/lib/kubelet/
lxc file push ${host}.crt ${host}/var/lib/kubelet/
lxc file push ${host}.key ${host}/var/lib/kubelet/
done
Copy the appropriate certificates and private keys to the master machine:
for host in master-0 master-1 master-2; do
lxc file push kube-api-server.key ${host}/home/ubuntu/
lxc file push kube-api-server.crt ${host}/home/ubuntu/
lxc file push service-accounts.key ${host}/home/ubuntu/
lxc file push service-accounts.crt ${host}/home/ubuntu/
lxc file push ca.key ${host}/home/ubuntu/
lxc file push ca.crt ${host}/home/ubuntu/
done
The
kube-proxy,kube-controller-manager,kube-scheduler, andkubeletclient certificates will be used to generate client authentication configuration files in the next lab.
Next: Generating Kubernetes Configuration Files for Authentication