mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

The chapter 'Provisioning a CA and Generating TLS Certificates' is updated.

pull/443/head
Pick1a1username 2019-02-16 17:58:38 +09:00
parent a0f2e96831
commit 1a6b69f4e2
1 changed files with 18 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
docs/04-certificate-authority.md
View File

@ -1,6 +1,6 @@
# Provisioning a CA and Generating TLS Certificates # Provisioning a CA and Generating TLS Certificates
In this lab you will provision a [PKI Infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure) using CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), then use it to bootstrap a Certificate Authority, and generate TLS certificates for the following components: etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy. In this chapter, you will provision a [PKI Infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure) using CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), then use it to bootstrap a Certificate Authority, and generate TLS certificates for the following components: etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy.
## Certificate Authority ## Certificate Authority
@ -9,7 +9,7 @@ In this section you will provision a Certificate Authority that can be used to g
Generate the CA configuration file, certificate, and private key: Generate the CA configuration file, certificate, and private key:
``` ```
{ $ {
cat > ca-config.json <<EOF cat > ca-config.json <<EOF
{ {
@ -67,7 +67,7 @@ In this section you will generate client and server certificates for each Kubern
Generate the `admin` client certificate and private key: Generate the `admin` client certificate and private key:
``` ```
{ $ {
cat > admin-csr.json <<EOF cat > admin-csr.json <<EOF
{ {
@ -112,10 +112,10 @@ Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/doc
Generate a certificate and private key for each Kubernetes worker node: Generate a certificate and private key for each Kubernetes worker node:
``` ```
for instance in worker-0 worker-1 worker-2; do $ for num in 1 2 3; do
cat > ${instance}-csr.json <<EOF cat > worker-${num}-csr.json <<EOF
{ {
"CN": "system:node:${instance}", "CN": "system:node:worker-${num}",
"key": { "key": {
"algo": "rsa", "algo": "rsa",
"size": 2048 "size": 2048
@ -132,19 +132,15 @@ cat > ${instance}-csr.json <<EOF
} }
EOF EOF
EXTERNAL_IP=$(gcloud compute instances describe ${instance} \ INTERNAL_IP=10.240.0.2${num}
--format 'value(networkInterfaces[0].accessConfigs[0].natIP)')
INTERNAL_IP=$(gcloud compute instances describe ${instance} \
--format 'value(networkInterfaces[0].networkIP)')
cfssl gencert \ cfssl gencert \
-ca=ca.pem \ -ca=ca.pem \
-ca-key=ca-key.pem \ -ca-key=ca-key.pem \
-config=ca-config.json \ -config=ca-config.json \
-hostname=${instance},${EXTERNAL_IP},${INTERNAL_IP} \ -hostname=worker-${num},${INTERNAL_IP} \
-profile=kubernetes \ -profile=kubernetes \
${instance}-csr.json | cfssljson -bare ${instance} ${instance}-csr.json | cfssljson -bare worker-${num}
done done
``` ```
@ -297,11 +293,7 @@ The `kubernetes-the-hard-way` static IP address will be included in the list of
Generate the Kubernetes API Server certificate and private key: Generate the Kubernetes API Server certificate and private key:
``` ```
{ $ {
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
--region $(gcloud config get-value compute/region) \
--format 'value(address)')
cat > kubernetes-csr.json <<EOF cat > kubernetes-csr.json <<EOF
{ {
@ -326,7 +318,7 @@ cfssl gencert \
-ca=ca.pem \ -ca=ca.pem \
-ca-key=ca-key.pem \ -ca-key=ca-key.pem \
-config=ca-config.json \ -config=ca-config.json \
-hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,kubernetes.default \ -hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,10.240.0.13,127.0.0.1,kubernetes.default \
-profile=kubernetes \ -profile=kubernetes \
kubernetes-csr.json | cfssljson -bare kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
@ -391,17 +383,19 @@ service-account.pem
Copy the appropriate certificates and private keys to each worker instance: Copy the appropriate certificates and private keys to each worker instance:
``` ```
for instance in worker-0 worker-1 worker-2; do $ USERNAME=<User Name of Virtual Machines>
gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/ $ for num in 1 2 3; do
scp -i ~/.ssh/id_rsa-k8s.pub ca.pem worker-${num}-key.pem worker-${num}.pem ${USERNAME}@10.240.0.2${num}:~/
done done
``` ```
Copy the appropriate certificates and private keys to each controller instance: Copy the appropriate certificates and private keys to each controller instance:
``` ```
for instance in controller-0 controller-1 controller-2; do $ USERNAME=<User Name of Virtual Machines>
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \ $ for num in 1 2 3; do
service-account-key.pem service-account.pem ${instance}:~/ scp -i ~/.ssh/id_rsa-k8s.pub ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
service-account-key.pem service-account.pem ${USERNAME}@10.240.0.1${num}:~/
done done
``` ```