kubernetes-the-hard-way/docs/02-certificate-authority.md

# Setting up a Certificate Authority and TLS Cert Generation

In this lab you will setup the necessary PKI infrastructure to secure the Kubernetes components. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority and generate TLS certificates.

In this lab you will generate a set of TLS certificates that can be used to secure the following Kubernetes components:

* etcd
* kube-apiserver
* kubelet
* kube-proxy

After completing this lab you should have the following TLS keys and certificates:

```
admin.pem
admin-key.pem
ca-key.pem
ca.pem
kubernetes-key.pem
kubernetes.pem
kube-proxy.pem
kube-proxy-key.pem
```


## Install CFSSL

This lab requires the `cfssl` and `cfssljson` binaries. Download them from the [cfssl repository](https://pkg.cfssl.org).

### OS X

```
wget https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
chmod +x cfssl_darwin-amd64
sudo mv cfssl_darwin-amd64 /usr/local/bin/cfssl
```

```
wget https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
chmod +x cfssljson_darwin-amd64
sudo mv cfssljson_darwin-amd64 /usr/local/bin/cfssljson
```

### Linux

```
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl
```

```
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
```

## Set up a Certificate Authority

Create a CA configuration file:

```
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "8760h"
      }
    }
  }
}
EOF
```

Create a CA certificate signing request:


```
cat > ca-csr.json <<EOF
{
  "CN": "Kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "Kubernetes",
      "OU": "CA",
      "ST": "Oregon"
    }
  ]
}
EOF
```

Generate the CA certificate and private key:

```
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
```

Results:

```
ca-key.pem
ca.pem
```

## Generate client and server TLS certificates

In this section we will generate TLS certificates for all each Kubernetes component and a client certificate for an admin client.


### Create the Admin client certificate

Create the admin client certificate signing request:

```
cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:masters",
      "OU": "Cluster",
      "ST": "Oregon"
    }
  ]
}
EOF
```

Generate the admin client certificate and private key:

```
cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  admin-csr.json | cfssljson -bare admin
```

Results:

```
admin-key.pem
admin.pem
```

### Create the kube-proxy client certificate

Create the kube-proxy client certificate signing request:

```
cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:node-proxier",
      "OU": "Cluster",
      "ST": "Oregon"
    }
  ]
}
EOF
```

Generate the kube-proxy client certificate and private key:

```
cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-proxy-csr.json | cfssljson -bare kube-proxy
```

Results:

```
kube-proxy-key.pem
kube-proxy.pem
```

### Create the kubernetes server certificate

Set the Kubernetes Public IP Address

The Kubernetes public IP address will be included in the list of subject alternative names for the Kubernetes server certificate. This will ensure the TLS certificate is valid for remote client access.

#### GCE

```
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
  --region us-central1 \
  --format 'value(address)')
```

#### AWS

```
KUBERNETES_PUBLIC_ADDRESS=$(aws elb describe-load-balancers \
  --load-balancer-name kubernetes | \
  jq -r '.LoadBalancerDescriptions[].DNSName')
```

---

Create the kubernetes server certificate signing request:

```
cat > kubernetes-csr.json <<EOF
{
  "CN": "kubernetes",
  "hosts": [
    "10.32.0.1",
    "10.240.0.10",
    "10.240.0.11",
    "10.240.0.12",
    "ip-10-240-0-10",
    "ip-10-240-0-11",
    "ip-10-240-0-12",
    "${KUBERNETES_PUBLIC_ADDRESS}",
    "127.0.0.1",
    "kubernetes.default"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "Kubernetes",
      "OU": "Cluster",
      "ST": "Oregon"
    }
  ]
}
EOF
```

Generate the Kubernetes certificate and private key:

```
cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kubernetes-csr.json | cfssljson -bare kubernetes
```

Results:

```
kubernetes-key.pem
kubernetes.pem
```

## Distribute the TLS certificates

Set the list of Kubernetes hosts where the certs should be copied to:

```
KUBERNETES_WORKERS=(worker0 worker1 worker2)
```

```
KUBERNETES_CONTROLLERS=(controller0 controller1 controller2)
```

### GCE

The following command will:

* Copy the TLS certificates and keys to each Kubernetes host using the `gcloud compute copy-files` command.

```
for host in ${KUBERNETES_WORKERS[*]}; do
  gcloud compute copy-files ca.pem kube-proxy.pem kube-proxy-key.pem ${host}:~/
done
```

```
for host in ${KUBERNETES_CONTROLLERS[*]}; do
  gcloud compute copy-files ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${host}:~/
done
```

### AWS

The following command will:
 * Extract the public IP address for each Kubernetes host
 * Copy the TLS certificates and keys to each Kubernetes host using `scp`

```
for host in ${KUBERNETES_WORKERS[*]}; do
  PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \
    --filters "Name=tag:Name,Values=${host}" | \
    jq -r '.Reservations[].Instances[].PublicIpAddress')
  scp -o "StrictHostKeyChecking no" ca.pem kube-proxy.pem kube-proxy-key.pem \
    ubuntu@${PUBLIC_IP_ADDRESS}:~/
done
```

```
for host in ${KUBERNETES_CONTROLLERS[*]}; do
  PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \
    --filters "Name=tag:Name,Values=${host}" | \
    jq -r '.Reservations[].Instances[].PublicIpAddress')
  scp -o "StrictHostKeyChecking no" ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
    ubuntu@${PUBLIC_IP_ADDRESS}:~/
done
```
update docs 2016-07-07 17:52:54 +03:00			`# Setting up a Certificate Authority and TLS Cert Generation`
let the pain begin 2016-07-07 17:15:59 +03:00
fix some typos 2016-07-07 18:54:19 +03:00			`In this lab you will setup the necessary PKI infrastructure to secure the Kubernetes components. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority and generate TLS certificates.`
update docs 2016-07-07 17:49:56 +03:00
update for 1.6 2017-03-25 19:44:23 +03:00			`In this lab you will generate a set of TLS certificates that can be used to secure the following Kubernetes components:`
update docs 2016-07-07 17:52:54 +03:00
			`* etcd`
update for 1.6 2017-03-25 19:44:23 +03:00			`* kube-apiserver`
			`* kubelet`
			`* kube-proxy`
update docs 2016-07-07 17:57:18 +03:00
update docs 2016-07-07 17:59:38 +03:00			`After completing this lab you should have the following TLS keys and certificates:`
update docs 2016-07-07 17:59:02 +03:00
			```
add authentication lab 2017-03-24 09:08:54 +03:00			`admin.pem`
			`admin-key.pem`
update docs 2016-07-07 17:59:02 +03:00			`ca-key.pem`
			`ca.pem`
			`kubernetes-key.pem`
			`kubernetes.pem`
add authentication lab 2017-03-24 09:08:54 +03:00			`kube-proxy.pem`
			`kube-proxy-key.pem`
update docs 2016-07-07 17:59:02 +03:00			```

update docs 2016-07-07 17:52:54 +03:00
update docs 2016-07-07 17:49:56 +03:00			`## Install CFSSL`

clean up docs 2016-07-09 07:09:05 +03:00			This lab requires the `cfssl` and `cfssljson` binaries. Download them from the [cfssl repository](https://pkg.cfssl.org).
let the pain begin 2016-07-07 17:15:59 +03:00
clean up docs 2016-07-09 06:59:01 +03:00			`### OS X`

			```
			`wget https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64`
			`chmod +x cfssl_darwin-amd64`
			`sudo mv cfssl_darwin-amd64 /usr/local/bin/cfssl`
			```

			```
			`wget https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64`
			`chmod +x cfssljson_darwin-amd64`
			`sudo mv cfssljson_darwin-amd64 /usr/local/bin/cfssljson`
			```

			`### Linux`

			```
			`wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64`
			`chmod +x cfssl_linux-amd64`
Fix cfssl mv command pathname for linux 2016-07-10 02:51:32 +03:00			`sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl`
clean up docs 2016-07-09 06:59:01 +03:00			```

			```
			`wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64`
			`chmod +x cfssljson_linux-amd64`
			`sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson`
			```

update for 1.6 2017-03-25 19:44:23 +03:00			`## Set up a Certificate Authority`
let the pain begin 2016-07-07 17:15:59 +03:00
update for 1.6 2017-03-25 19:44:23 +03:00			`Create a CA configuration file:`
let the pain begin 2016-07-07 17:15:59 +03:00
			```
update for 1.6 2017-03-25 19:44:23 +03:00			`cat > ca-config.json <<EOF`
			`{`
let the pain begin 2016-07-07 17:15:59 +03:00			`"signing": {`
			`"default": {`
			`"expiry": "8760h"`
			`},`
			`"profiles": {`
			`"kubernetes": {`
			`"usages": ["signing", "key encipherment", "server auth", "client auth"],`
			`"expiry": "8760h"`
			`}`
			`}`
			`}`
update for 1.6 2017-03-25 19:44:23 +03:00			`}`
			`EOF`
let the pain begin 2016-07-07 17:15:59 +03:00			```

update for 1.6 2017-03-25 19:44:23 +03:00			`Create a CA certificate signing request:`
let the pain begin 2016-07-07 17:15:59 +03:00

			```
update for 1.6 2017-03-25 19:44:23 +03:00			`cat > ca-csr.json <<EOF`
			`{`
let the pain begin 2016-07-07 17:15:59 +03:00			`"CN": "Kubernetes",`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "Kubernetes",`
			`"OU": "CA",`
			`"ST": "Oregon"`
			`}`
			`]`
update for 1.6 2017-03-25 19:44:23 +03:00			`}`
			`EOF`
let the pain begin 2016-07-07 17:15:59 +03:00			```

			`Generate the CA certificate and private key:`

			```
			`cfssl gencert -initca ca-csr.json \| cfssljson -bare ca`
			```

			`Results:`

			```
			`ca-key.pem`
			`ca.pem`
			```

update for 1.6 2017-03-25 19:44:23 +03:00			`## Generate client and server TLS certificates`
let the pain begin 2016-07-07 17:15:59 +03:00
update for 1.6 2017-03-25 19:44:23 +03:00			`In this section we will generate TLS certificates for all each Kubernetes component and a client certificate for an admin client.`
add aws support 2016-09-11 04:49:06 +03:00
dry up the docs 2016-07-08 20:26:32 +03:00
update for 1.6 2017-03-25 19:44:23 +03:00			`### Create the Admin client certificate`
update docs 2016-07-08 00:10:49 +03:00
update for 1.6 2017-03-25 19:44:23 +03:00			`Create the admin client certificate signing request:`
update to Kubernetes 1.6 2017-03-24 05:48:14 +03:00
			```
			`cat > admin-csr.json <<EOF`
			`{`
			`"CN": "admin",`
			`"hosts": [],`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "system:masters",`
			`"OU": "Cluster",`
			`"ST": "Oregon"`
			`}`
			`]`
			`}`
			`EOF`
			```

update for 1.6 2017-03-25 19:44:23 +03:00			`Generate the admin client certificate and private key:`
update to Kubernetes 1.6 2017-03-24 05:48:14 +03:00
			```
			`cfssl gencert \`
			`-ca=ca.pem \`
			`-ca-key=ca-key.pem \`
			`-config=ca-config.json \`
			`-profile=kubernetes \`
			`admin-csr.json \| cfssljson -bare admin`
			```

			`Results:`

			```
			`admin-key.pem`
			`admin.pem`
			```

update for 1.6 2017-03-25 19:44:23 +03:00			`### Create the kube-proxy client certificate`

			`Create the kube-proxy client certificate signing request:`
add authentication lab 2017-03-24 09:08:54 +03:00
			```
			`cat > kube-proxy-csr.json <<EOF`
			`{`
			`"CN": "system:kube-proxy",`
			`"hosts": [],`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "system:node-proxier",`
			`"OU": "Cluster",`
			`"ST": "Oregon"`
			`}`
			`]`
			`}`
			`EOF`
			```

update for 1.6 2017-03-25 19:44:23 +03:00			`Generate the kube-proxy client certificate and private key:`
add authentication lab 2017-03-24 09:08:54 +03:00
			```
			`cfssl gencert \`
			`-ca=ca.pem \`
			`-ca-key=ca-key.pem \`
			`-config=ca-config.json \`
			`-profile=kubernetes \`
			`kube-proxy-csr.json \| cfssljson -bare kube-proxy`
			```

			`Results:`

			```
			`kube-proxy-key.pem`
			`kube-proxy.pem`
			```

update for 1.6 2017-03-25 19:44:23 +03:00			`### Create the kubernetes server certificate`
add authentication lab 2017-03-24 09:08:54 +03:00
update for 1.6 2017-03-25 19:44:23 +03:00			`Set the Kubernetes Public IP Address`

			`The Kubernetes public IP address will be included in the list of subject alternative names for the Kubernetes server certificate. This will ensure the TLS certificate is valid for remote client access.`

			`#### GCE`

			```
			`KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \`
			`--region us-central1 \`
			`--format 'value(address)')`
			```

			`#### AWS`

			```
			`KUBERNETES_PUBLIC_ADDRESS=$(aws elb describe-load-balancers \`
			`--load-balancer-name kubernetes \| \`
			`jq -r '.LoadBalancerDescriptions[].DNSName')`
			```

			`---`

			`Create the kubernetes server certificate signing request:`
add aws support 2016-09-11 04:49:06 +03:00
let the pain begin 2016-07-07 17:15:59 +03:00			```
dry up the docs 2016-07-08 20:26:32 +03:00			`cat > kubernetes-csr.json <<EOF`
			`{`
let the pain begin 2016-07-07 17:15:59 +03:00			`"CN": "kubernetes",`
			`"hosts": [`
clean up docs 2016-07-09 10:15:26 +03:00			`"10.32.0.1",`
let the pain begin 2016-07-07 17:15:59 +03:00			`"10.240.0.10",`
			`"10.240.0.11",`
			`"10.240.0.12",`
update for 1.6 2017-03-25 19:44:23 +03:00			`"ip-10-240-0-10",`
			`"ip-10-240-0-11",`
			`"ip-10-240-0-12",`
add support for aws 2016-09-11 13:02:27 +03:00			`"${KUBERNETES_PUBLIC_ADDRESS}",`
add kubernetes.default to kubernetes-csr.json hosts 2016-10-13 00:47:40 +03:00			`"127.0.0.1",`
			`"kubernetes.default"`
let the pain begin 2016-07-07 17:15:59 +03:00			`],`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "Kubernetes",`
			`"OU": "Cluster",`
			`"ST": "Oregon"`
			`}`
			`]`
dry up the docs 2016-07-08 20:26:32 +03:00			`}`
			`EOF`
			```

			`Generate the Kubernetes certificate and private key:`

let the pain begin 2016-07-07 17:15:59 +03:00			```
			`cfssl gencert \`
clean up docs 2016-07-09 03:10:40 +03:00			`-ca=ca.pem \`
			`-ca-key=ca-key.pem \`
			`-config=ca-config.json \`
			`-profile=kubernetes \`
			`kubernetes-csr.json \| cfssljson -bare kubernetes`
let the pain begin 2016-07-07 17:15:59 +03:00			```

update docs 2016-07-07 17:57:18 +03:00			`Results:`

			```
			`kubernetes-key.pem`
			`kubernetes.pem`
			```

update for 1.6 2017-03-25 19:44:23 +03:00			`## Distribute the TLS certificates`
update docs 2016-07-08 00:15:06 +03:00
add support for AWS 2016-09-11 05:13:17 +03:00			`Set the list of Kubernetes hosts where the certs should be copied to:`

			```
update for 1.6 2017-03-25 19:44:23 +03:00			`KUBERNETES_WORKERS=(worker0 worker1 worker2)`
add support for AWS 2016-09-11 05:13:17 +03:00			```

update to Kubernetes 1.6 2017-03-24 05:48:14 +03:00			```
			`KUBERNETES_CONTROLLERS=(controller0 controller1 controller2)`
			```

add support for AWS 2016-09-11 05:13:17 +03:00			`### GCE`

add support for aws 2016-09-11 05:17:55 +03:00			`The following command will:`

			* Copy the TLS certificates and keys to each Kubernetes host using the `gcloud compute copy-files` command.

add support for AWS 2016-09-11 05:13:17 +03:00			```
update for 1.6 2017-03-25 19:44:23 +03:00			`for host in ${KUBERNETES_WORKERS[*]}; do`
			`gcloud compute copy-files ca.pem kube-proxy.pem kube-proxy-key.pem ${host}:~/`
update to Kubernetes 1.6 2017-03-24 05:48:14 +03:00			`done`
			```

			```
			`for host in ${KUBERNETES_CONTROLLERS[*]}; do`
			`gcloud compute copy-files ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${host}:~/`
add support for AWS 2016-09-11 05:13:17 +03:00			`done`
			```

			`### AWS`

add support for aws 2016-09-11 05:17:55 +03:00			`The following command will:`
			`* Extract the public IP address for each Kubernetes host`
			* Copy the TLS certificates and keys to each Kubernetes host using `scp`

update docs 2016-07-08 00:15:06 +03:00			```
update for 1.6 2017-03-25 19:44:23 +03:00			`for host in ${KUBERNETES_WORKERS[*]}; do`
add support for AWS 2016-09-11 05:13:17 +03:00			`PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \`
			`--filters "Name=tag:Name,Values=${host}" \| \`
jq -j is not a valid option. I think the author meant jq -r 2016-09-15 05:37:20 +03:00			`jq -r '.Reservations[].Instances[].PublicIpAddress')`
update for 1.6 2017-03-25 19:44:23 +03:00			`scp -o "StrictHostKeyChecking no" ca.pem kube-proxy.pem kube-proxy-key.pem \`
update to Kubernetes 1.6 2017-03-24 05:48:14 +03:00			`ubuntu@${PUBLIC_IP_ADDRESS}:~/`
			`done`
			```

			```
update for 1.6 2017-03-25 19:44:23 +03:00			`for host in ${KUBERNETES_CONTROLLERS[*]}; do`
update to Kubernetes 1.6 2017-03-24 05:48:14 +03:00			`PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \`
			`--filters "Name=tag:Name,Values=${host}" \| \`
			`jq -r '.Reservations[].Instances[].PublicIpAddress')`
			`scp -o "StrictHostKeyChecking no" ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \`
add support for AWS 2016-09-11 05:13:17 +03:00			`ubuntu@${PUBLIC_IP_ADDRESS}:~/`
			`done`
Fix cfssl mv command pathname for linux 2016-07-10 02:51:32 +03:00			```