More edits

pull/707/merge^2
Carl Tashian 2022-02-01 13:06:06 -08:00
parent 397ca24343
commit 32680f9f67
1 changed files with 39 additions and 184 deletions

View File

@ -300,7 +300,12 @@ EXTERNAL_IP=$(gcloud compute instances describe ${instance} \
INTERNAL_IP=$(gcloud compute instances describe ${instance} \ INTERNAL_IP=$(gcloud compute instances describe ${instance} \
--format 'value(networkInterfaces[0].networkIP)') --format 'value(networkInterfaces[0].networkIP)')
step ca certificate "system:node:${instance}" ${instance}.pem ${instance}-key.pem --san "${instance}" --san "${EXTERNAL_IP}" --san "${INTERNAL_IP}" --provisioner "kubernetes" --provisioner-password-file "provisioner-password" step ca certificate "system:node:${instance}" ${instance}.pem ${instance}-key.pem \
--san "${instance}" \
--san "${EXTERNAL_IP}" \
--san "${INTERNAL_IP}" \
--provisioner "kubernetes" \
--provisioner-password-file "provisioner-password"
done done
``` ```
@ -315,51 +320,24 @@ worker-2-key.pem
worker-2.pem worker-2.pem
``` ```
### The Controller Manager Client Certificate ### The Controller Manager Client Certificate
Generate the `kube-controller-manager` client certificate and private key: Generate the `kube-controller-manager`, `kube-proxy`, and `kube-scheduler` client certificates and private keys:
``` ```
{ {
step ca certificate "system:kube-controller-manager" kube-controller-manager.pem kube-controller-manager-key.pem \
cat > kube-controller-manager-csr.json <<EOF --kty RSA \
{ --provisioner "kubernetes" \
"CN": "system:kube-controller-manager", --provisioner-password-file "provisioner-password"
"key": { step ca certificate "system:kube-proxy" kube-proxy.pem kube-proxy-key.pem \
"algo": "rsa", --kty RSA \
"size": 2048 --provisioner "kubernetes" \
}, --provisioner-password-file "provisioner-password"
"names": [ step ca certificate "system:kube-scheduler" kube-scheduler.pem kube-scheduler-key.pem \
{ --kty RSA \
"C": "US", --provisioner "kubernetes" \
"L": "Portland", --provisioner-password-file "provisioner-password"
"O": "system:kube-controller-manager",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
} }
``` ```
@ -368,96 +346,12 @@ Results:
``` ```
kube-controller-manager-key.pem kube-controller-manager-key.pem
kube-controller-manager.pem kube-controller-manager.pem
```
### The Kube Proxy Client Certificate
Generate the `kube-proxy` client certificate and private key:
```
{
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:node-proxier",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-proxy-csr.json | cfssljson -bare kube-proxy
}
```
Results:
```
kube-proxy-key.pem kube-proxy-key.pem
kube-proxy.pem kube-proxy.pem
```
### The Scheduler Client Certificate
Generate the `kube-scheduler` client certificate and private key:
```
{
cat > kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:kube-scheduler",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-scheduler-csr.json | cfssljson -bare kube-scheduler
}
```
Results:
```
kube-scheduler-key.pem kube-scheduler-key.pem
kube-scheduler.pem kube-scheduler.pem
``` ```
### The Kubernetes API Server Certificate ### The Kubernetes API Server Certificate
The `kubernetes-the-hard-way` static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients. The `kubernetes-the-hard-way` static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients.
@ -466,40 +360,24 @@ Generate the Kubernetes API Server certificate and private key:
``` ```
{ {
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \ KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
--region $(gcloud config get-value compute/region) \ --region $(gcloud config get-value compute/region) \
--format 'value(address)') --format 'value(address)')
step ca certificate "kubernetes" kubernetes.pem kubernetes-key.pem \
KUBERNETES_HOSTNAMES=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local --kty RSA \
--san kubernetes \
cat > kubernetes-csr.json <<EOF --san kubernetes.default \
{ --san kubernetes.default.svc \
"CN": "kubernetes", --san kubernetes.default.svc.cluster \
"key": { --san kubernetes.default.svc.cluster.local \
"algo": "rsa", --san 10.32.0.1 \
"size": 2048 --san 10.240.0.10 \
}, --san 10.240.0.11 \
"names": [ --san 10.240.0.12 \
{ --san ${KUBERNETES_PUBLIC_ADDRESS} \
"C": "US", --san 127.0.0.1 \
"L": "Portland", --provisioner "kubernetes" \
"O": "Kubernetes", --provisioner-password-file "provisioner-password"
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,${KUBERNETES_HOSTNAMES} \
-profile=kubernetes \
kubernetes-csr.json | cfssljson -bare kubernetes
} }
``` ```
@ -520,33 +398,10 @@ Generate the `service-account` certificate and private key:
``` ```
{ {
step ca certificate "service-accounts" service-account.pem service-account-key.pem \
cat > service-account-csr.json <<EOF --kty RSA \
{ --provisioner "kubernetes" \
"CN": "service-accounts", --provisioner-password-file "provisioner-password"
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
service-account-csr.json | cfssljson -bare service-account
} }
``` ```
@ -572,7 +427,7 @@ Copy the appropriate certificates and private keys to each controller instance:
``` ```
for instance in controller-0 controller-1 controller-2; do for instance in controller-0 controller-1 controller-2; do
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \ gcloud compute scp ca.pem kubernetes-key.pem kubernetes.pem \
service-account-key.pem service-account.pem ${instance}:~/ service-account-key.pem service-account.pem ${instance}:~/
done done
``` ```