From b9bf0744bbeb5aac8dedfdd08acee44aef1b741e Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Wed, 2 Feb 2022 16:39:18 -0800 Subject: [PATCH] Coverage for all cert renewal --- docs/04-certificate-authority.md | 2 - docs/13-certificate-renewal.md | 74 +++++++++++++++++++++++++------- 2 files changed, 59 insertions(+), 17 deletions(-) diff --git a/docs/04-certificate-authority.md b/docs/04-certificate-authority.md index 99e7673..2c2b2cd 100644 --- a/docs/04-certificate-authority.md +++ b/docs/04-certificate-authority.md @@ -38,9 +38,7 @@ sudo mv step_0.18.0/bin/step /usr/local/bin/ Now create a `step` user and the paths for `step-ca`: ``` -{ sudo useradd --system --home /etc/step-ca --shell /bin/false step -} ``` Create a CA configuration folder and generate passwords for the CA root key and the CA provisioner: diff --git a/docs/13-certificate-renewal.md b/docs/13-certificate-renewal.md index 338892b..fb517c3 100644 --- a/docs/13-certificate-renewal.md +++ b/docs/13-certificate-renewal.md @@ -1,6 +1,8 @@ +# Configuring Certificate Renewal + ## Prerequisites -The commands in this lab must be run on each controller instance: `controller-0`, `controller-1`, and `controller-2`. Login to each controller instance using the `gcloud` command. Example: +The commands in this section must be run on every instance: `controller-0`, `controller-1`, `controller-2`, `worker-0`, `worker-1`, and `worker-2`. Login to each instance using the `gcloud` command. Example: ``` gcloud compute ssh controller-0 @@ -8,26 +10,25 @@ gcloud compute ssh controller-0 ## Download certificate management tools -Download the `step` CLI binary and renewal utility for systemd: +Run each command on every node. + +Download the `step` CLI binary: ``` wget -q --show-progress --https-only --timestamping \ - "https://dl.step.sm/gh-release/cli/gh-release-header/v0.18.0/step_linux_0.18.0_amd64.tar.gz" \ - "https://files.smallstep.com/cert-renewer%40.service" \ - "https://files.smallstep.com/cert-renewer%40.timer" + "https://dl.step.sm/gh-release/cli/gh-release-header/v0.18.0/step_linux_0.18.0_amd64.tar.gz" ``` -Install the binary and renewal utility files: +Install the binary: ``` tar -xvf step_linux_0.18.0_amd64.tar.gz sudo mv step_0.18.0/bin/step /usr/local/bin/ -sudo systemctl daemon-reload ``` -### Bootstrapping the CA on your controllers +### Bootstrapping with the CA -Run each command on every node: +Configure the host to trust your Certificate Authority: ``` { @@ -64,17 +65,17 @@ StartLimitIntervalSec=0 Type=oneshot User=root -Environment=STEPPATH=/etc/step-ca \ - CERT_LOCATION=/etc/step/certs/%i.crt \ +Environment=STEPPATH=/etc/step-ca \\ + CERT_LOCATION=/etc/step/certs/%i.crt \\ KEY_LOCATION=/etc/step/certs/%i.key ; ExecCondition checks if the certificate is ready for renewal, ; based on the exit status of the command. ; (In systemd <242, you can use ExecStartPre= here.) -ExecCondition=/usr/local/bin/step certificate needs-renewal ${CERT_LOCATION} +ExecCondition=/usr/local/bin/step certificate needs-renewal \${CERT_LOCATION} ; ExecStart renews the certificate, if ExecStartPre was successful. -ExecStart=/usr/local/bin/step ca renew --force ${CERT_LOCATION} ${KEY_LOCATION} +ExecStart=/usr/local/bin/step ca renew --force \${CERT_LOCATION} \${KEY_LOCATION} [Install] WantedBy=multi-user.target @@ -106,6 +107,16 @@ WantedBy=timers.target EOF ``` +# Controller Certificate Renewal + +## Prerequisites + +The commands in this section must be run on every controller: `controller-0`, `controller-1`, `controller-2`. Login to each instance using the `gcloud` command. Example: + +``` +gcloud compute ssh controller-0 +``` + ## Configure certificate renewal for etcd Create and start a certificate renewal timer for etcd: @@ -194,6 +205,8 @@ sudo systemctl enable --now cert-renewer@kube-apiserver.timer ## Configure service account certificate renewal timer +The service account certificate and key is used by the API server, so we will need to restart it when the certificate file is updated: + ``` sudo mkdir /etc/systemd/system/cert-renewer@kube-service-account.service.d cat < Remember to run the above commands on each controller node: `controller-0`, `controller-1`, and `controller-2`. + +# Worker Certificate Renewal + +## Prerequisites + +The commands in this section must be run on every worker: `worker-0`, `worker-1`, and `worker-2`. Login to each instance using the `gcloud` command. Example: + +``` +gcloud compute ssh worker-0 +``` + +## Configure Certificate Renewal for `kubelet.service` + +Run: + +``` +sudo mkdir /etc/systemd/system/cert-renewer@kubelet.service.d +cat < Remember to run the above commands on each controller node: `worker-0`, `worker-1`, and `worker-2`.