TLS self-signed certificate
TLS certificate used for communication, certificate k8s required components are:
Step 1: Install certificate generation tool cfssl
Prior to this need to create a directory to hold the installation tool mkdir ssl
, the tool will be installed later moved to the respective directory. Easy to manage
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64 cfssljson_linux-amd64 cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
In the implementation of wget command, if not installed this tool wget will prompt command does not exist.
//执行命令安装wget工具
yum install -y wget
Step 2: Use cfssl -help to view command cfssl Tools Help
The third step: Use tools to generate the certificate cfssl
Generate a configuration file that can be modified according to the document to suit their needs
Certificate generation ca-config.json
cat << EOF | tee ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
Generate csr.json file
Generating ca-csr.json certificate file
cfssl print-defaults csr > ca-csr.json
//修改内容为如下:
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Chengdu",
"ST": "Chengdu",
"O": "k8s",
"OU": "System"
}
]
}
生成 ca-key.pem ca.pem.
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
Generate server-csr.json file
cat << EOF | tee server-csr.json
{
"CN": "kubernetes",
"hosts": [
"172.16.163.131",
"172.16.163.130",
"172.16.163.129",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Chengdu",
"ST": "Chengdu",
"O": "k8s",
"OU": "System"
}
]
}
EOF
生成 server.pem, server-key.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
Will complain when executing the above command
The reason given
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": { //应该将ca-config.json文件的profiles改为kubernetes
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
Generating admin-csr.json file
cfssl print-defaults csr > admin-csr.json
We need to modify the above admin-csr.json the following:
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Chengdu",
"ST": "Chengdu",
"O": "system:masters",
"OU": "System"
}
]
}
The last generation admin certificate --- admin-key.pem, admin.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
Generate a proxy
cfssl print-defaults csr > kube-proxy-csr.json
//将kube-proxy-csr.json修改为如下:
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Chengdu",
"ST": "Chengdu",
"O": "k8s",
"OU": "System"
}
]
}
//生成代理证书 kube-proxy-key.pem , kube-proxy.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
Finally .json filter out files outside of pem
ls | grep -v pem
Use the command ls | grep -v pem |xargs -i rm {}
to delete other files in addition to the pem file.
This certificate is generated better.