kubernetes-the-hard-way/docs/02-certificate-authority.md

299 lines
6.0 KiB
Markdown
Raw Normal View History

2016-07-07 17:52:54 +03:00
# Setting up a Certificate Authority and TLS Cert Generation
2016-07-07 17:15:59 +03:00
2016-07-07 18:54:19 +03:00
In this lab you will setup the necessary PKI infrastructure to secure the Kubernetes components. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority and generate TLS certificates.
2016-07-07 17:49:56 +03:00
2016-07-08 00:07:51 +03:00
In this lab you will generate a single set of TLS certificates that can be used to secure the following Kubernetes components:
2016-07-07 17:52:54 +03:00
* etcd
* Kubernetes API Server
* Kubernetes Kubelet
2016-07-07 17:57:18 +03:00
> In production you should strongly consider generating individual TLS certificates for each component.
2016-07-07 17:59:38 +03:00
After completing this lab you should have the following TLS keys and certificates:
2016-07-07 17:59:02 +03:00
```
ca-key.pem
ca.pem
kubernetes-key.pem
kubernetes.pem
```
2016-07-07 17:52:54 +03:00
2016-07-07 17:49:56 +03:00
## Install CFSSL
2016-07-09 07:09:05 +03:00
This lab requires the `cfssl` and `cfssljson` binaries. Download them from the [cfssl repository](https://pkg.cfssl.org).
2016-07-07 17:15:59 +03:00
2016-07-09 06:59:01 +03:00
### OS X
```
wget https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
chmod +x cfssl_darwin-amd64
sudo mv cfssl_darwin-amd64 /usr/local/bin/cfssl
```
```
wget https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
chmod +x cfssljson_darwin-amd64
sudo mv cfssljson_darwin-amd64 /usr/local/bin/cfssljson
```
### Linux
```
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl
2016-07-09 06:59:01 +03:00
```
```
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
```
2016-07-07 17:52:54 +03:00
## Setting up a Certificate Authority
2016-07-07 17:15:59 +03:00
### Create the CA configuration file
```
echo '{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}' > ca-config.json
```
### Generate the CA certificate and private key
Create the CA CSR:
```
echo '{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
}
]
}' > ca-csr.json
```
Generate the CA certificate and private key:
```
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
```
Results:
```
ca-key.pem
ca.csr
ca.pem
```
2016-07-07 17:57:18 +03:00
### Verification
2016-07-07 17:15:59 +03:00
```
openssl x509 -in ca.pem -text -noout
```
2016-07-07 17:57:18 +03:00
## Generate the single Kubernetes TLS Cert
2016-07-07 17:15:59 +03:00
2016-07-07 17:57:18 +03:00
In this section we will generate a TLS certificate that will be valid for all Kubernetes components. This is being done for ease of use. In production you should strongly consider generating individual TLS certificates for each component.
2016-07-07 17:15:59 +03:00
2016-09-11 13:02:27 +03:00
### Set the Kubernetes Public Address
2016-09-11 04:49:06 +03:00
#### GCE
2016-07-08 20:26:32 +03:00
2016-07-08 20:29:54 +03:00
```
2016-09-11 13:02:27 +03:00
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes \
2016-07-09 03:09:44 +03:00
--format 'value(address)')
2016-07-08 20:29:54 +03:00
```
2016-07-08 00:10:49 +03:00
2016-09-11 04:49:06 +03:00
#### AWS
```
2016-09-11 13:02:27 +03:00
KUBERNETES_PUBLIC_ADDRESS=$(aws elb describe-load-balancers \
2016-09-11 11:05:13 +03:00
--load-balancer-name kubernetes | \
jq -r '.LoadBalancerDescriptions[].DNSName')
2016-09-11 04:49:06 +03:00
```
#### Azure
this gets the address of the internal controllers load balancer
```
KUBERNETES_PUBLIC_ADDRESS=$(azure network lb show \
--resource-group the-hard-way \
--name the-hard-way-clb \
--json | \
jq -r '.frontendIPConfigurations[0].privateIPAddress')
```
2016-09-11 04:49:06 +03:00
---
Create the `kubernetes-csr.json` file:
2016-07-07 17:15:59 +03:00
```
2016-07-08 20:26:32 +03:00
cat > kubernetes-csr.json <<EOF
{
2016-07-07 17:15:59 +03:00
"CN": "kubernetes",
"hosts": [
2016-07-09 10:15:26 +03:00
"worker0",
"worker1",
"worker2",
2016-09-11 14:18:27 +03:00
"ip-10-240-0-30",
"ip-10-240-0-31",
"ip-10-240-0-32",
2016-07-09 10:15:26 +03:00
"10.32.0.1",
2016-07-07 17:15:59 +03:00
"10.240.0.10",
"10.240.0.11",
"10.240.0.12",
"10.240.0.20",
"10.240.0.21",
"10.240.0.22",
"10.240.0.30",
"10.240.0.31",
"10.240.0.32",
2016-09-11 13:02:27 +03:00
"${KUBERNETES_PUBLIC_ADDRESS}",
2016-07-07 17:15:59 +03:00
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "Cluster",
"ST": "Oregon"
}
]
2016-07-08 20:26:32 +03:00
}
EOF
```
Generate the Kubernetes certificate and private key:
2016-07-07 17:15:59 +03:00
```
cfssl gencert \
2016-07-09 03:10:40 +03:00
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kubernetes-csr.json | cfssljson -bare kubernetes
2016-07-07 17:15:59 +03:00
```
2016-07-07 17:57:18 +03:00
Results:
```
kubernetes-key.pem
kubernetes.csr
kubernetes.pem
```
### Verification
2016-07-07 17:15:59 +03:00
```
openssl x509 -in kubernetes.pem -text -noout
2016-07-07 18:54:19 +03:00
```
2016-07-08 00:15:06 +03:00
2016-07-09 03:09:44 +03:00
## Copy TLS Certs
2016-07-08 00:15:06 +03:00
2016-09-11 05:13:17 +03:00
Set the list of Kubernetes hosts where the certs should be copied to:
```
KUBERNETES_HOSTS=(controller0 controller1 controller2 etcd0 etcd1 etcd2 worker0 worker1 worker2)
```
### GCE
2016-09-11 05:17:55 +03:00
The following command will:
* Copy the TLS certificates and keys to each Kubernetes host using the `gcloud compute copy-files` command.
2016-09-11 05:13:17 +03:00
```
for host in ${KUBERNETES_HOSTS[*]}; do
gcloud compute copy-files ca.pem kubernetes-key.pem kubernetes.pem ${host}:~/
done
```
### AWS
2016-09-11 05:17:55 +03:00
The following command will:
* Extract the public IP address for each Kubernetes host
* Copy the TLS certificates and keys to each Kubernetes host using `scp`
2016-07-08 00:15:06 +03:00
```
2016-09-11 05:13:17 +03:00
for host in ${KUBERNETES_HOSTS[*]}; do
PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${host}" | \
jq -r '.Reservations[].Instances[].PublicIpAddress')
2016-09-11 05:13:17 +03:00
scp ca.pem kubernetes-key.pem kubernetes.pem \
ubuntu@${PUBLIC_IP_ADDRESS}:~/
done
```
### Azure
If you are using the jumpbox to create the certificates
```
for host in ${KUBERNETES_HOSTS[*]}; do
scp -i ./cluster ca.pem kubernetes-key.pem kubernetes.pem \
thehardway@${host}:~/
done
```
If you used a different machine
```
#Get jumpbox address
KUBERNETES_JUMPBOX_ADDRESS=$(azure network public-ip show \
--resource-group the-hard-way \
--name the-hard-way-jumpbox \
--json | jq -r '.dnsSettings.fqdn')
#Copy files to jumpbox
scp -i ./keys/cluster \
ca.pem \
kubernetes-key.pem \
kubernetes.pem \
thehardway@$KUBERNETES_JUMPBOX_ADDRESS:~/
# Copy files from jumpbox to vms
ssh -i ./keys/cluster \
thehardway@$KUBERNETES_JUMPBOX_ADDRESS <<'EOF'
KUBERNETES_HOSTS=(controller0 controller1 controller2 etcd0 etcd1 etcd2 worker0 worker1 worker2)
for host in ${KUBERNETES_HOSTS[*]}; do
scp -i ./cluster ca.pem kubernetes-key.pem kubernetes.pem \
thehardway@${host}:~/
done
EOF
```