Coverage for all cert renewal

pull/707/merge^2
Carl Tashian 2022-02-02 16:39:18 -08:00
parent ea551e5278
commit b9bf0744bb
2 changed files with 59 additions and 17 deletions

View File

@ -38,9 +38,7 @@ sudo mv step_0.18.0/bin/step /usr/local/bin/
Now create a `step` user and the paths for `step-ca`:
```
{
sudo useradd --system --home /etc/step-ca --shell /bin/false step
}
```
Create a CA configuration folder and generate passwords for the CA root key and the CA provisioner:

View File

@ -1,6 +1,8 @@
# Configuring Certificate Renewal
## Prerequisites
The commands in this lab must be run on each controller instance: `controller-0`, `controller-1`, and `controller-2`. Login to each controller instance using the `gcloud` command. Example:
The commands in this section must be run on every instance: `controller-0`, `controller-1`, `controller-2`, `worker-0`, `worker-1`, and `worker-2`. Login to each instance using the `gcloud` command. Example:
```
gcloud compute ssh controller-0
@ -8,26 +10,25 @@ gcloud compute ssh controller-0
## Download certificate management tools
Download the `step` CLI binary and renewal utility for systemd:
Run each command on every node.
Download the `step` CLI binary:
```
wget -q --show-progress --https-only --timestamping \
"https://dl.step.sm/gh-release/cli/gh-release-header/v0.18.0/step_linux_0.18.0_amd64.tar.gz" \
"https://files.smallstep.com/cert-renewer%40.service" \
"https://files.smallstep.com/cert-renewer%40.timer"
"https://dl.step.sm/gh-release/cli/gh-release-header/v0.18.0/step_linux_0.18.0_amd64.tar.gz"
```
Install the binary and renewal utility files:
Install the binary:
```
tar -xvf step_linux_0.18.0_amd64.tar.gz
sudo mv step_0.18.0/bin/step /usr/local/bin/
sudo systemctl daemon-reload
```
### Bootstrapping the CA on your controllers
### Bootstrapping with the CA
Run each command on every node:
Configure the host to trust your Certificate Authority:
```
{
@ -64,17 +65,17 @@ StartLimitIntervalSec=0
Type=oneshot
User=root
Environment=STEPPATH=/etc/step-ca \
CERT_LOCATION=/etc/step/certs/%i.crt \
Environment=STEPPATH=/etc/step-ca \\
CERT_LOCATION=/etc/step/certs/%i.crt \\
KEY_LOCATION=/etc/step/certs/%i.key
; ExecCondition checks if the certificate is ready for renewal,
; based on the exit status of the command.
; (In systemd <242, you can use ExecStartPre= here.)
ExecCondition=/usr/local/bin/step certificate needs-renewal ${CERT_LOCATION}
ExecCondition=/usr/local/bin/step certificate needs-renewal \${CERT_LOCATION}
; ExecStart renews the certificate, if ExecStartPre was successful.
ExecStart=/usr/local/bin/step ca renew --force ${CERT_LOCATION} ${KEY_LOCATION}
ExecStart=/usr/local/bin/step ca renew --force \${CERT_LOCATION} \${KEY_LOCATION}
[Install]
WantedBy=multi-user.target
@ -106,6 +107,16 @@ WantedBy=timers.target
EOF
```
# Controller Certificate Renewal
## Prerequisites
The commands in this section must be run on every controller: `controller-0`, `controller-1`, `controller-2`. Login to each instance using the `gcloud` command. Example:
```
gcloud compute ssh controller-0
```
## Configure certificate renewal for etcd
Create and start a certificate renewal timer for etcd:
@ -194,6 +205,8 @@ sudo systemctl enable --now cert-renewer@kube-apiserver.timer
## Configure service account certificate renewal timer
The service account certificate and key is used by the API server, so we will need to restart it when the certificate file is updated:
```
sudo mkdir /etc/systemd/system/cert-renewer@kube-service-account.service.d
cat <<EOF | sudo tee /etc/systemd/system/cert-renewer@kube-service-account.service.d/override.conf
@ -204,11 +217,42 @@ Environment=STEPPATH=/root/.step \\
KEY_LOCATION=/var/lib/kubernetes/service-account-key.pem
; Restart services that use the service account certificate or key
ExecStartPost=systemctl restart kube-controller-manager.service
ExecStartPost=systemctl restart kube-apiserver.service
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now cert-renewer@kube-service-account.timer
EOF
```
> Remember to run the above commands on each controller node: `controller-0`, `controller-1`, and `controller-2`.
# Worker Certificate Renewal
## Prerequisites
The commands in this section must be run on every worker: `worker-0`, `worker-1`, and `worker-2`. Login to each instance using the `gcloud` command. Example:
```
gcloud compute ssh worker-0
```
## Configure Certificate Renewal for `kubelet.service`
Run:
```
sudo mkdir /etc/systemd/system/cert-renewer@kubelet.service.d
cat <<EOF | sudo tee /etc/systemd/system/cert-renewer@kubelet.service.d/override.conf
[Service]
Environment=STEPPATH=/root/.step \\
CERT_LOCATION=/var/lib/kubelet/${HOSTNAME}.pem
\\
KEY_LOCATION=/var/lib/kubelet/${HOSTNAME}-key.pem
; Restart services that use the service account certificate or key
ExecStartPost=systemctl restart kubelet.service
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now cert-renewer@kubelet.timer
```
> Remember to run the above commands on each controller node: `worker-0`, `worker-1`, and `worker-2`.