From 5c7685eb80699a8a74af9b18ad0217d3f7eaf36d Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Tue, 1 Feb 2022 17:50:06 -0800 Subject: [PATCH] Starting on cert renewal pieces --- docs/03-compute-resources.md | 4 +- docs/04-certificate-authority.md | 89 +++++++++++-------- ...08-bootstrapping-kubernetes-controllers.md | 3 +- docs/{13-smoke-test.md => 14-smoke-test.md} | 0 docs/{14-cleanup.md => 15-cleanup.md} | 0 5 files changed, 54 insertions(+), 42 deletions(-) rename docs/{13-smoke-test.md => 14-smoke-test.md} (100%) rename docs/{14-cleanup.md => 15-cleanup.md} (100%) diff --git a/docs/03-compute-resources.md b/docs/03-compute-resources.md index a5402bb..f93dff3 100644 --- a/docs/03-compute-resources.md +++ b/docs/03-compute-resources.md @@ -43,11 +43,11 @@ gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal \ --source-ranges 10.240.0.0/24,10.200.0.0/16 ``` -Create a firewall rule that allows external SSH, ICMP, and HTTPS: +Create a firewall rule that allows external SSH, ICMP, HTTPS, and step-ca traffic: ``` gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external \ - --allow tcp:22,tcp:6443,icmp \ + --allow tcp:22,tcp:4443,tcp:6443,icmp \ --network kubernetes-the-hard-way \ --source-ranges 0.0.0.0/0 ``` diff --git a/docs/04-certificate-authority.md b/docs/04-certificate-authority.md index 98fba24..5844642 100644 --- a/docs/04-certificate-authority.md +++ b/docs/04-certificate-authority.md @@ -17,9 +17,10 @@ Download the `step` client and `step-ca` server binaries, and the `jq` command: ``` { wget -q --show-progress --https-only --timestamping \ - "https://dl.step.sm/gh-release/certificates/gh-release-header/v0.18.0/step-ca_linux_0.18.0_amd64.tar.gz" -wget -q --show-progress --https-only --timestamping \ - "https://dl.step.sm/gh-release/cli/gh-release-header/v0.18.0/step_linux_0.18.0_amd64.tar.gz" + "https://dl.step.sm/gh-release/certificates/gh-release-header/v0.18.0/step-ca_linux_0.18.0_amd64.tar.gz" \ + "https://dl.step.sm/gh-release/cli/gh-release-header/v0.18.0/step_linux_0.18.0_amd64.tar.gz" \ + "https://raw.githubusercontent.com/smallstep/cli/master/systemd/cert-renewer%40.service" \ + "https://raw.githubusercontent.com/smallstep/cli/master/systemd/cert-renewer%40.timer" sudo apt update sudo apt install -y jq } @@ -70,21 +71,53 @@ sudo -E step ca init --name="admin" \ --address=":4443" --provisioner="kubernetes" \ --password-file="$(step path)/password" \ --provisioner-password-file="provisioner-password" -sudo -E step ca provisioner add acme --type ACME } ``` +Add an X509 certificate template file: + +``` +mkdir -p /etc/step-ca/templates/x509 + +# Server cert template. +cat < /etc/step-ca/templates/x509/kubernetes.tpl +{ + "subject": { +{{- if .Insecure.User.Organization }} + "organization": {{ toJson .Insecure.User.Organization }}, +{{- end }} + "commonName": {{ toJson .Subject.CommonName }}, + "organizationalUnit": {{ toJson .OrganizationalUnit }} + }, + "sans": {{ toJson .SANs }}, +{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }} + "keyUsage": ["keyEncipherment", "digitalSignature"], +{{- else }} + "keyUsage": ["digitalSignature"], +{{- end }} + "extKeyUsage": ["serverAuth", "clientAuth"] +} +EOF +``` + Configure the CA provisioner to issue 90-day certificates: ``` { -sudo jq '(.authority.provisioners[]) += { +cat <<< $(jq '(.authority.provisioners[] | select(.name == "kubernetes")) += { "claims": { "maxTLSCertDuration": "2160h", "defaultTLSCertDuration": "2160h" + }, + "options": { + "x509": { + "templateFile": "templates/x509/kubernetes.tpl", + "templateData": { + "OrganizationalUnit": "Kubernetes The Hard Way" + } + } } -}' /etc/step-ca/config/ca.json > ca-new.json -sudo mv ca-new.json /etc/step-ca/config/ca.json + }' /etc/step-ca/config/ca.json) > /etc/step-ca/config/ca.json } ``` @@ -234,34 +267,6 @@ Output: Updated [https://www.googleapis.com/compute/v1/projects/project-id-xxxxxx]. ``` -### Bootstrapping remote instances - - -Run each command on every node: - -``` -{ -for i in 0 1 2; do - gcloud compute ssh worker-${i} -- \ - step ca bootstrap \ - --ca-url "$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/attributes/STEP_CA_URL)" \ - --fingerprint "$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/attributes/STEP_CA_FINGERPRINT)" - gcloud compute ssh worker-${i} -- \ - step ca bootstrap \ - --ca-url "$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/attributes/STEP_CA_URL)" \ - --fingerprint "$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/attributes/STEP_CA_FINGERPRINT)" -done -} -``` - -Output: - -``` -The root certificate has been saved in /home/carl/.step/certs/root_ca.crt. -The authority configuration has been saved in /home/carl/.step/config/defaults.json. -``` - - ## Client and Server Certificates In this section you will generate client and server certificates for each Kubernetes component and a client certificate for the Kubernetes `admin` user. @@ -272,9 +277,11 @@ On your local machine, generate the `admin` client certificate and private key: ``` { -step ca certificate admin admin.pem admin-key.pem \ - --provisioner="kubernetes" \ - --provisioner-password-file="provisioner-password" + step ca certificate admin admin.pem admin-key.pem \ + --provisioner="kubernetes" \ + --provisioner-password-file="provisioner-password" \ + --set "Organization=system:masters" \ + --kty RSA } ``` @@ -304,6 +311,7 @@ step ca certificate "system:node:${instance}" ${instance}.pem ${instance}-key.pe --san "${instance}" \ --san "${EXTERNAL_IP}" \ --san "${INTERNAL_IP}" \ + --set "Organization=system:nodes" \ --provisioner "kubernetes" \ --provisioner-password-file "provisioner-password" done @@ -328,14 +336,17 @@ Generate the `kube-controller-manager`, `kube-proxy`, and `kube-scheduler` clien { step ca certificate "system:kube-controller-manager" kube-controller-manager.pem kube-controller-manager-key.pem \ --kty RSA \ + --set "Organization=system:kube-controller-manager" \ --provisioner "kubernetes" \ --provisioner-password-file "provisioner-password" step ca certificate "system:kube-proxy" kube-proxy.pem kube-proxy-key.pem \ --kty RSA \ + --set "Organization=system:node-proxier" \ --provisioner "kubernetes" \ --provisioner-password-file "provisioner-password" step ca certificate "system:kube-scheduler" kube-scheduler.pem kube-scheduler-key.pem \ --kty RSA \ + --set "Organization=system:kube-scheduler" \ --provisioner "kubernetes" \ --provisioner-password-file "provisioner-password" } @@ -376,6 +387,7 @@ step ca certificate "kubernetes" kubernetes.pem kubernetes-key.pem \ --san 10.240.0.12 \ --san ${KUBERNETES_PUBLIC_ADDRESS} \ --san 127.0.0.1 \ + --set "Organization=Kubernetes" \ --provisioner "kubernetes" \ --provisioner-password-file "provisioner-password" } @@ -400,6 +412,7 @@ Generate the `service-account` certificate and private key: { step ca certificate "service-accounts" service-account.pem service-account-key.pem \ --kty RSA \ + --set "Organization=Kubernetes" \ --provisioner "kubernetes" \ --provisioner-password-file "provisioner-password" } diff --git a/docs/08-bootstrapping-kubernetes-controllers.md b/docs/08-bootstrapping-kubernetes-controllers.md index ede6ce0..7bf1384 100644 --- a/docs/08-bootstrapping-kubernetes-controllers.md +++ b/docs/08-bootstrapping-kubernetes-controllers.md @@ -49,7 +49,7 @@ Install the Kubernetes binaries: { sudo mkdir -p /var/lib/kubernetes/ - sudo mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \ + sudo mv ca.pem kubernetes-key.pem kubernetes.pem \ service-account-key.pem service-account.pem \ encryption-config.yaml /var/lib/kubernetes/ } @@ -142,7 +142,6 @@ ExecStart=/usr/local/bin/kube-controller-manager \\ --cluster-cidr=10.200.0.0/16 \\ --cluster-name=kubernetes \\ --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\ - --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\ --kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\ --leader-elect=true \\ --root-ca-file=/var/lib/kubernetes/ca.pem \\ diff --git a/docs/13-smoke-test.md b/docs/14-smoke-test.md similarity index 100% rename from docs/13-smoke-test.md rename to docs/14-smoke-test.md diff --git a/docs/14-cleanup.md b/docs/15-cleanup.md similarity index 100% rename from docs/14-cleanup.md rename to docs/15-cleanup.md