Starting on cert renewal pieces
parent
32680f9f67
commit
5c7685eb80
|
@ -43,11 +43,11 @@ gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal \
|
||||||
--source-ranges 10.240.0.0/24,10.200.0.0/16
|
--source-ranges 10.240.0.0/24,10.200.0.0/16
|
||||||
```
|
```
|
||||||
|
|
||||||
Create a firewall rule that allows external SSH, ICMP, and HTTPS:
|
Create a firewall rule that allows external SSH, ICMP, HTTPS, and step-ca traffic:
|
||||||
|
|
||||||
```
|
```
|
||||||
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external \
|
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external \
|
||||||
--allow tcp:22,tcp:6443,icmp \
|
--allow tcp:22,tcp:4443,tcp:6443,icmp \
|
||||||
--network kubernetes-the-hard-way \
|
--network kubernetes-the-hard-way \
|
||||||
--source-ranges 0.0.0.0/0
|
--source-ranges 0.0.0.0/0
|
||||||
```
|
```
|
||||||
|
|
|
@ -17,9 +17,10 @@ Download the `step` client and `step-ca` server binaries, and the `jq` command:
|
||||||
```
|
```
|
||||||
{
|
{
|
||||||
wget -q --show-progress --https-only --timestamping \
|
wget -q --show-progress --https-only --timestamping \
|
||||||
"https://dl.step.sm/gh-release/certificates/gh-release-header/v0.18.0/step-ca_linux_0.18.0_amd64.tar.gz"
|
"https://dl.step.sm/gh-release/certificates/gh-release-header/v0.18.0/step-ca_linux_0.18.0_amd64.tar.gz" \
|
||||||
wget -q --show-progress --https-only --timestamping \
|
"https://dl.step.sm/gh-release/cli/gh-release-header/v0.18.0/step_linux_0.18.0_amd64.tar.gz" \
|
||||||
"https://dl.step.sm/gh-release/cli/gh-release-header/v0.18.0/step_linux_0.18.0_amd64.tar.gz"
|
"https://raw.githubusercontent.com/smallstep/cli/master/systemd/cert-renewer%40.service" \
|
||||||
|
"https://raw.githubusercontent.com/smallstep/cli/master/systemd/cert-renewer%40.timer"
|
||||||
sudo apt update
|
sudo apt update
|
||||||
sudo apt install -y jq
|
sudo apt install -y jq
|
||||||
}
|
}
|
||||||
|
@ -70,21 +71,53 @@ sudo -E step ca init --name="admin" \
|
||||||
--address=":4443" --provisioner="kubernetes" \
|
--address=":4443" --provisioner="kubernetes" \
|
||||||
--password-file="$(step path)/password" \
|
--password-file="$(step path)/password" \
|
||||||
--provisioner-password-file="provisioner-password"
|
--provisioner-password-file="provisioner-password"
|
||||||
sudo -E step ca provisioner add acme --type ACME
|
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Add an X509 certificate template file:
|
||||||
|
|
||||||
|
```
|
||||||
|
mkdir -p /etc/step-ca/templates/x509
|
||||||
|
|
||||||
|
# Server cert template.
|
||||||
|
cat <<EOF > /etc/step-ca/templates/x509/kubernetes.tpl
|
||||||
|
{
|
||||||
|
"subject": {
|
||||||
|
{{- if .Insecure.User.Organization }}
|
||||||
|
"organization": {{ toJson .Insecure.User.Organization }},
|
||||||
|
{{- end }}
|
||||||
|
"commonName": {{ toJson .Subject.CommonName }},
|
||||||
|
"organizationalUnit": {{ toJson .OrganizationalUnit }}
|
||||||
|
},
|
||||||
|
"sans": {{ toJson .SANs }},
|
||||||
|
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
|
||||||
|
"keyUsage": ["keyEncipherment", "digitalSignature"],
|
||||||
|
{{- else }}
|
||||||
|
"keyUsage": ["digitalSignature"],
|
||||||
|
{{- end }}
|
||||||
|
"extKeyUsage": ["serverAuth", "clientAuth"]
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
```
|
||||||
|
|
||||||
Configure the CA provisioner to issue 90-day certificates:
|
Configure the CA provisioner to issue 90-day certificates:
|
||||||
|
|
||||||
```
|
```
|
||||||
{
|
{
|
||||||
sudo jq '(.authority.provisioners[]) += {
|
cat <<< $(jq '(.authority.provisioners[] | select(.name == "kubernetes")) += {
|
||||||
"claims": {
|
"claims": {
|
||||||
"maxTLSCertDuration": "2160h",
|
"maxTLSCertDuration": "2160h",
|
||||||
"defaultTLSCertDuration": "2160h"
|
"defaultTLSCertDuration": "2160h"
|
||||||
|
},
|
||||||
|
"options": {
|
||||||
|
"x509": {
|
||||||
|
"templateFile": "templates/x509/kubernetes.tpl",
|
||||||
|
"templateData": {
|
||||||
|
"OrganizationalUnit": "Kubernetes The Hard Way"
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}' /etc/step-ca/config/ca.json > ca-new.json
|
}' /etc/step-ca/config/ca.json) > /etc/step-ca/config/ca.json
|
||||||
sudo mv ca-new.json /etc/step-ca/config/ca.json
|
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -234,34 +267,6 @@ Output:
|
||||||
Updated [https://www.googleapis.com/compute/v1/projects/project-id-xxxxxx].
|
Updated [https://www.googleapis.com/compute/v1/projects/project-id-xxxxxx].
|
||||||
```
|
```
|
||||||
|
|
||||||
### Bootstrapping remote instances
|
|
||||||
|
|
||||||
|
|
||||||
Run each command on every node:
|
|
||||||
|
|
||||||
```
|
|
||||||
{
|
|
||||||
for i in 0 1 2; do
|
|
||||||
gcloud compute ssh worker-${i} -- \
|
|
||||||
step ca bootstrap \
|
|
||||||
--ca-url "$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/attributes/STEP_CA_URL)" \
|
|
||||||
--fingerprint "$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/attributes/STEP_CA_FINGERPRINT)"
|
|
||||||
gcloud compute ssh worker-${i} -- \
|
|
||||||
step ca bootstrap \
|
|
||||||
--ca-url "$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/attributes/STEP_CA_URL)" \
|
|
||||||
--fingerprint "$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/attributes/STEP_CA_FINGERPRINT)"
|
|
||||||
done
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
Output:
|
|
||||||
|
|
||||||
```
|
|
||||||
The root certificate has been saved in /home/carl/.step/certs/root_ca.crt.
|
|
||||||
The authority configuration has been saved in /home/carl/.step/config/defaults.json.
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Client and Server Certificates
|
## Client and Server Certificates
|
||||||
|
|
||||||
In this section you will generate client and server certificates for each Kubernetes component and a client certificate for the Kubernetes `admin` user.
|
In this section you will generate client and server certificates for each Kubernetes component and a client certificate for the Kubernetes `admin` user.
|
||||||
|
@ -272,9 +277,11 @@ On your local machine, generate the `admin` client certificate and private key:
|
||||||
|
|
||||||
```
|
```
|
||||||
{
|
{
|
||||||
step ca certificate admin admin.pem admin-key.pem \
|
step ca certificate admin admin.pem admin-key.pem \
|
||||||
--provisioner="kubernetes" \
|
--provisioner="kubernetes" \
|
||||||
--provisioner-password-file="provisioner-password"
|
--provisioner-password-file="provisioner-password" \
|
||||||
|
--set "Organization=system:masters" \
|
||||||
|
--kty RSA
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -304,6 +311,7 @@ step ca certificate "system:node:${instance}" ${instance}.pem ${instance}-key.pe
|
||||||
--san "${instance}" \
|
--san "${instance}" \
|
||||||
--san "${EXTERNAL_IP}" \
|
--san "${EXTERNAL_IP}" \
|
||||||
--san "${INTERNAL_IP}" \
|
--san "${INTERNAL_IP}" \
|
||||||
|
--set "Organization=system:nodes" \
|
||||||
--provisioner "kubernetes" \
|
--provisioner "kubernetes" \
|
||||||
--provisioner-password-file "provisioner-password"
|
--provisioner-password-file "provisioner-password"
|
||||||
done
|
done
|
||||||
|
@ -328,14 +336,17 @@ Generate the `kube-controller-manager`, `kube-proxy`, and `kube-scheduler` clien
|
||||||
{
|
{
|
||||||
step ca certificate "system:kube-controller-manager" kube-controller-manager.pem kube-controller-manager-key.pem \
|
step ca certificate "system:kube-controller-manager" kube-controller-manager.pem kube-controller-manager-key.pem \
|
||||||
--kty RSA \
|
--kty RSA \
|
||||||
|
--set "Organization=system:kube-controller-manager" \
|
||||||
--provisioner "kubernetes" \
|
--provisioner "kubernetes" \
|
||||||
--provisioner-password-file "provisioner-password"
|
--provisioner-password-file "provisioner-password"
|
||||||
step ca certificate "system:kube-proxy" kube-proxy.pem kube-proxy-key.pem \
|
step ca certificate "system:kube-proxy" kube-proxy.pem kube-proxy-key.pem \
|
||||||
--kty RSA \
|
--kty RSA \
|
||||||
|
--set "Organization=system:node-proxier" \
|
||||||
--provisioner "kubernetes" \
|
--provisioner "kubernetes" \
|
||||||
--provisioner-password-file "provisioner-password"
|
--provisioner-password-file "provisioner-password"
|
||||||
step ca certificate "system:kube-scheduler" kube-scheduler.pem kube-scheduler-key.pem \
|
step ca certificate "system:kube-scheduler" kube-scheduler.pem kube-scheduler-key.pem \
|
||||||
--kty RSA \
|
--kty RSA \
|
||||||
|
--set "Organization=system:kube-scheduler" \
|
||||||
--provisioner "kubernetes" \
|
--provisioner "kubernetes" \
|
||||||
--provisioner-password-file "provisioner-password"
|
--provisioner-password-file "provisioner-password"
|
||||||
}
|
}
|
||||||
|
@ -376,6 +387,7 @@ step ca certificate "kubernetes" kubernetes.pem kubernetes-key.pem \
|
||||||
--san 10.240.0.12 \
|
--san 10.240.0.12 \
|
||||||
--san ${KUBERNETES_PUBLIC_ADDRESS} \
|
--san ${KUBERNETES_PUBLIC_ADDRESS} \
|
||||||
--san 127.0.0.1 \
|
--san 127.0.0.1 \
|
||||||
|
--set "Organization=Kubernetes" \
|
||||||
--provisioner "kubernetes" \
|
--provisioner "kubernetes" \
|
||||||
--provisioner-password-file "provisioner-password"
|
--provisioner-password-file "provisioner-password"
|
||||||
}
|
}
|
||||||
|
@ -400,6 +412,7 @@ Generate the `service-account` certificate and private key:
|
||||||
{
|
{
|
||||||
step ca certificate "service-accounts" service-account.pem service-account-key.pem \
|
step ca certificate "service-accounts" service-account.pem service-account-key.pem \
|
||||||
--kty RSA \
|
--kty RSA \
|
||||||
|
--set "Organization=Kubernetes" \
|
||||||
--provisioner "kubernetes" \
|
--provisioner "kubernetes" \
|
||||||
--provisioner-password-file "provisioner-password"
|
--provisioner-password-file "provisioner-password"
|
||||||
}
|
}
|
||||||
|
|
|
@ -49,7 +49,7 @@ Install the Kubernetes binaries:
|
||||||
{
|
{
|
||||||
sudo mkdir -p /var/lib/kubernetes/
|
sudo mkdir -p /var/lib/kubernetes/
|
||||||
|
|
||||||
sudo mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
|
sudo mv ca.pem kubernetes-key.pem kubernetes.pem \
|
||||||
service-account-key.pem service-account.pem \
|
service-account-key.pem service-account.pem \
|
||||||
encryption-config.yaml /var/lib/kubernetes/
|
encryption-config.yaml /var/lib/kubernetes/
|
||||||
}
|
}
|
||||||
|
@ -142,7 +142,6 @@ ExecStart=/usr/local/bin/kube-controller-manager \\
|
||||||
--cluster-cidr=10.200.0.0/16 \\
|
--cluster-cidr=10.200.0.0/16 \\
|
||||||
--cluster-name=kubernetes \\
|
--cluster-name=kubernetes \\
|
||||||
--cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
|
--cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
|
||||||
--cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\
|
|
||||||
--kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\
|
--kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\
|
||||||
--leader-elect=true \\
|
--leader-elect=true \\
|
||||||
--root-ca-file=/var/lib/kubernetes/ca.pem \\
|
--root-ca-file=/var/lib/kubernetes/ca.pem \\
|
||||||
|
|
Loading…
Reference in New Issue