kubernetes-the-hard-way/docs/certificate-authority.md

# Setting up a Certificate Authority and TLS Cert Generation

In this lab you will setup the necessary PKI infrastructure to secure the Kubernetes components. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority and generate TLS certificates.

In this lab you will setup a Certificate Authority and generate a single set of TLS certificates that can be used to secure the following Kubernetes components:

* etcd
* Kubernetes API Server
* Kubernetes Kubelet

> In production you should strongly consider generating individual TLS certificates for each component.

After completing this lab you should have the following TLS keys and certificates:

```
ca-key.pem
ca.pem
kubernetes-key.pem
kubernetes.pem
```


## Install CFSSL

Follow the [CFSSL installation guide](https://github.com/cloudflare/cfssl#installation) and install `cfssl` and `cfssljson` binaries.

## Setting up a Certificate Authority

### Create the CA configuration file

```
echo '{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "8760h"
      }
    }
  }
}' > ca-config.json
```

### Generate the CA certificate and private key

Create the CA CSR:

```
echo '{
  "CN": "Kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "Kubernetes",
      "OU": "CA",
      "ST": "Oregon"
    }
  ]
}' > ca-csr.json
```

Generate the CA certificate and private key:

```
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
```

Results:

```
ca-key.pem
ca.csr
ca.pem
```

### Verification

```
openssl x509 -in ca.pem -text -noout
```

## Generate the single Kubernetes TLS Cert

In this section we will generate a TLS certificate that will be valid for all Kubernetes components. This is being done for ease of use. In production you should strongly consider generating individual TLS certificates for each component.

```
echo '{
  "CN": "kubernetes",
  "hosts": [
    "10.240.0.10",
    "10.240.0.11",
    "10.240.0.12",
    "10.240.0.20",
    "10.240.0.21",
    "10.240.0.22",
    "10.240.0.30",
    "10.240.0.31",
    "10.240.0.32",
    "146.148.34.151",
    "127.0.0.1"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "Kubernetes",
      "OU": "Cluster",
      "ST": "Oregon"
    }
  ]
}' > kubernetes-csr.json
```

```
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kubernetes-csr.json | cfssljson -bare kubernetes
```

Results:

```
kubernetes-key.pem
kubernetes.csr
kubernetes.pem
```

### Verification

```
openssl x509 -in kubernetes.pem -text -noout
```
update docs 2016-07-07 17:52:54 +03:00			`# Setting up a Certificate Authority and TLS Cert Generation`
let the pain begin 2016-07-07 17:15:59 +03:00
fix some typos 2016-07-07 18:54:19 +03:00			`In this lab you will setup the necessary PKI infrastructure to secure the Kubernetes components. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority and generate TLS certificates.`
update docs 2016-07-07 17:49:56 +03:00
update docs 2016-07-08 00:07:15 +03:00			`In this lab you will setup a Certificate Authority and generate a single set of TLS certificates that can be used to secure the following Kubernetes components:`
update docs 2016-07-07 17:52:54 +03:00
			`* etcd`
			`* Kubernetes API Server`
			`* Kubernetes Kubelet`

update docs 2016-07-07 17:57:18 +03:00			`> In production you should strongly consider generating individual TLS certificates for each component.`

update docs 2016-07-07 17:59:38 +03:00			`After completing this lab you should have the following TLS keys and certificates:`
update docs 2016-07-07 17:59:02 +03:00
			```
			`ca-key.pem`
			`ca.pem`
			`kubernetes-key.pem`
			`kubernetes.pem`
			```

update docs 2016-07-07 17:52:54 +03:00
update docs 2016-07-07 17:49:56 +03:00			`## Install CFSSL`

			Follow the [CFSSL installation guide](https://github.com/cloudflare/cfssl#installation) and install `cfssl` and `cfssljson` binaries.
let the pain begin 2016-07-07 17:15:59 +03:00
update docs 2016-07-07 17:52:54 +03:00			`## Setting up a Certificate Authority`
let the pain begin 2016-07-07 17:15:59 +03:00
			`### Create the CA configuration file`

			```
			`echo '{`
			`"signing": {`
			`"default": {`
			`"expiry": "8760h"`
			`},`
			`"profiles": {`
			`"kubernetes": {`
			`"usages": ["signing", "key encipherment", "server auth", "client auth"],`
			`"expiry": "8760h"`
			`}`
			`}`
			`}`
			`}' > ca-config.json`
			```

			`### Generate the CA certificate and private key`

			`Create the CA CSR:`

			```
			`echo '{`
			`"CN": "Kubernetes",`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "Kubernetes",`
			`"OU": "CA",`
			`"ST": "Oregon"`
			`}`
			`]`
			`}' > ca-csr.json`
			```

			`Generate the CA certificate and private key:`

			```
			`cfssl gencert -initca ca-csr.json \| cfssljson -bare ca`
			```

			`Results:`

			```
			`ca-key.pem`
			`ca.csr`
			`ca.pem`
			```

update docs 2016-07-07 17:57:18 +03:00			`### Verification`

let the pain begin 2016-07-07 17:15:59 +03:00			```
			`openssl x509 -in ca.pem -text -noout`
			```

update docs 2016-07-07 17:57:18 +03:00			`## Generate the single Kubernetes TLS Cert`
let the pain begin 2016-07-07 17:15:59 +03:00
update docs 2016-07-07 17:57:18 +03:00			`In this section we will generate a TLS certificate that will be valid for all Kubernetes components. This is being done for ease of use. In production you should strongly consider generating individual TLS certificates for each component.`
let the pain begin 2016-07-07 17:15:59 +03:00
			```
			`echo '{`
			`"CN": "kubernetes",`
			`"hosts": [`
			`"10.240.0.10",`
			`"10.240.0.11",`
			`"10.240.0.12",`
			`"10.240.0.20",`
			`"10.240.0.21",`
			`"10.240.0.22",`
			`"10.240.0.30",`
			`"10.240.0.31",`
			`"10.240.0.32",`
			`"146.148.34.151",`
			`"127.0.0.1"`
			`],`
			`"key": {`
			`"algo": "rsa",`
			`"size": 2048`
			`},`
			`"names": [`
			`{`
			`"C": "US",`
			`"L": "Portland",`
			`"O": "Kubernetes",`
			`"OU": "Cluster",`
			`"ST": "Oregon"`
			`}`
			`]`
			`}' > kubernetes-csr.json`
			```

			```
			`cfssl gencert \`
			`-ca=ca.pem \`
			`-ca-key=ca-key.pem \`
			`-config=ca-config.json \`
			`-profile=kubernetes \`
			`kubernetes-csr.json \| cfssljson -bare kubernetes`
			```

update docs 2016-07-07 17:57:18 +03:00			`Results:`

			```
			`kubernetes-key.pem`
			`kubernetes.csr`
			`kubernetes.pem`
			```

			`### Verification`

let the pain begin 2016-07-07 17:15:59 +03:00			```
			`openssl x509 -in kubernetes.pem -text -noout`
fix some typos 2016-07-07 18:54:19 +03:00			```