dlipovetsky · February 14, 2019 19:48 · May 7, 2018 · Apr 26, 2018 · Apr 26, 2018 · Apr 25, 2018
diff --git a/README.md b/README.md
@@ -5,8 +5,7 @@ Install cfssl
 
 ```sh
 # This requires an existing Go environment with GOPATH set
-go get -u https://github.com/cloudflare/cfssl
-go get -u https://github.com/cloudflare/cfssljson
+go get -u github.com/cloudflare/cfssl/cmd/...
 ```
 
 Create the root CA

diff --git a/README.md b/README.md
@@ -105,6 +105,39 @@ Create the etcd Intermediate CA
 ```sh
 mkdir etcd-ca
 cd etcd-ca
+cat << EOF > etcd-ca-config.json
+{
+    "signing": {
+        "profiles": {
+            "server": {
+                "expiry": "8700h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth"
+                ]
+            },
+            "client": {
+                "expiry": "8700h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "client auth"
+                ]
+            },
+            "peer": {
+                "expiry": "8700h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth",
+                    "client auth"
+                ]
+            }
+        }
+    }
+}
+EOF
 cat << EOF > etcd-ca-csr.json
 {
     "CN": "etcd-ca",
@@ -123,6 +156,7 @@ cd ..
 ```
 
 To completely delegate the CAs to kubeadm (and the resulting cluster):
+
 * copy etcd-ca.pem to /etc/kubernetes/pki/etcd/ca.crt
 * copy etcd-ca-key.pem to /etc/kubernetes/pki/etcd/ca.key
 * copy kubernetes-ca.pem to /etc/kubernetes/pki/ca.crt
@@ -131,20 +165,96 @@ To completely delegate the CAs to kubeadm (and the resulting cluster):
 * copy kubernetes-front-proxy-ca-key.pem to /etc/kubernetes/pki/front-proxy-ca.key
 
 To manually generate the certificates:
-* copy etcd-ca/etcd-ca.pem to /etc/kubernetes/pki/etcd/ca.crt
+
 * copy kubernetes-ca/kubernetes-ca.pem to /etc/kubernetes/pki/ca.crt
 * copy kubernetes-front-proxy-ca/kubernetes-front-proxy-ca.pem to /etc/kubernetes/pki/front-proxy-ca.crt
+* copy etcd-ca/etcd-ca.pem to /etc/kubernetes/pki/etcd/ca.crt
+
+* copy etcd-server.pem to /etc/kubernetes/pki/etcd/server.crt
+* copy etcd-server-key.pem to /etc/kubernetes/pki/etcd/server.key
+* copy etcd-peer.pem to /etc/kubernetes/pki/etcd/peer.crt
+* copy etcd-peer-key.pem to /etc/kubernetes/pki/etcd/peer.key
+* copy etcd-healthcheck-client.pem to /etc/kubernetes/pki/etcd/healthcheck-client.crt
+* copy etcd-healthcheck-client-key.pem to /etc/kubernetes/pki/etcd/healthcheck-client.key
+
 * copy apiserver.pem to /etc/kubernetes/pki/apiserver.crt
 * copy apiserver-key.pem to /etc/kubernetes/pki/apiserver.key
 * copy apiserver-kubelet-client.pem to /etc/kubernetes/pki/apiserver-kubelet-client.crt
 * copy apiserver-kubelet-client-key.pem to /etc/kubernetes/pki/apiserver-kubelet-client.key
+* copy apiserver-etcd-client.pem to /etc/kubernetes/pki/apiserver-etcd-client.crt
+* copy apiserver-etcd-client-key.pem to /etc/kubernetes/pki/apiserver-etcd-client.key
 * copy sa.pub to /etc/kubernetes/pki/sa.pub
 * copy sa.key to /etc/kubernetes/pki/sa.key
 * copy admin.conf to /etc/kubernetes/admin.conf
+* copy kubelet.conf to /etc/kubernetes/kubelet.conf
+* copy controller-manager.conf to /etc/kubernetes/controller-manager.conf
+* copy scheduler.conf to /etc/kubernetes/scheduler.conf
 
+Generate the etcd server keypair
 
-Generate the apiserver keypair
+```sh
+cat << EOF > etcd-server-csr.json
+{
+  "CN": "kube-etcd",
+  "hosts": [
+    "ubuntu",
+    "192.168.121.230",
+    "localhost",
+    "127.0.0.1"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  }
+}
+EOF
+cfssl gencert -ca=etcd-ca/etcd-ca.pem -ca-key=etcd-ca/etcd-ca-key.pem --config=etcd-ca/etcd-ca-config.json -profile=server etcd-server-csr.json | cfssljson -bare etcd-server
+```
+
+Generate the etcd peer keypair
+
+```sh
+cat << EOF > etcd-peer-csr.json
+{
+  "CN": "kube-etcd-peer",
+  "hosts": [
+    "ubuntu",
+    "192.168.121.230",
+    "localhost",
+    "127.0.0.1"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  }
+}
+EOF
+cfssl gencert -ca=etcd-ca/etcd-ca.pem -ca-key=etcd-ca/etcd-ca-key.pem --config=etcd-ca/etcd-ca-config.json -profile=peer etcd-peer-csr.json | cfssljson -bare etcd-peer
+```
+
+Generate the etcd healthcheck client keypair
+
+```sh
+cat << EOF > etcd-healthcheck-client-csr.json
+{
+  "CN": "kube-etcd-healthcheck-client",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+      {
+          "O": "system:masters"
+      }
+  ]
+}
+EOF
+cfssl gencert -ca=etcd-ca/etcd-ca.pem -ca-key=etcd-ca/etcd-ca-key.pem --config=etcd-ca/etcd-ca-config.json -profile=client etcd-healthcheck-client-csr.json | cfssljson -bare etcd-healthcheck-client
 ```
+
+Generate the apiserver keypair
+
+```sh
 cat << EOF > apiserver-csr.json
 {
   "CN": "kube-apiserver",
@@ -168,7 +278,8 @@ cfssl gencert -ca=kubernetes-ca/kubernetes-ca.pem -ca-key=kubernetes-ca/kubernet
 ```
 
 Generate the apiserver-kubelet-client keypair
-```
+
+```sh
 cat << EOF > apiserver-kubelet-client-csr.json
 {
   "CN": "kube-apiserver-kubelet-client",
@@ -187,13 +298,15 @@ cfssl gencert -ca=kubernetes-ca/kubernetes-ca.pem -ca-key=kubernetes-ca/kubernet
 ```
 
 Create the SA keypair
-```
+
+```sh
 openssl genrsa -out sa.key 2048
 openssl rsa -in sa.key -pubout -out sa.pub
 ```
 
 Create the front-proxy client keypair
-```
+
+```sh
 cat << EOF > front-proxy-client-csr.json
 {
   "CN": "front-proxy-client",
@@ -206,8 +319,29 @@ EOF
 cfssl gencert -ca=kubernetes-front-proxy-ca/kubernetes-front-proxy-ca.pem -ca-key=kubernetes-front-proxy-ca/kubernetes-front-proxy-ca-key.pem --config=kubernetes-front-proxy-ca/kubernetes-front-proxy-ca-config.json -profile=client front-proxy-client-csr.json | cfssljson -bare front-proxy-client
 ```
 
-Create the admin kubeconfig
+Create the apiserver etcd client keypair
+
+```sh
+cat << EOF > apiserver-etcd-client-csr.json
+{
+  "CN": "kube-apiserver-etcd-client",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+      {
+          "O": "system:masters"
+      }
+  ]
+}
+EOF
+cfssl gencert -ca=etcd-ca/etcd-ca.pem -ca-key=etcd-ca/etcd-ca-key.pem --config=etcd-ca/etcd-ca-config.json -profile=client apiserver-etcd-client-csr.json | cfssljson -bare apiserver-etcd-client
 ```
+
+Create the admin kubeconfig
+
+```sh
 cat << EOF > admin-csr.json
 {
   "CN": "kubernetes-admin",
@@ -230,7 +364,8 @@ KUBECONFIG=admin.conf kubectl config use-context default-system
 ```
 
 Create the kubelet kubeconfig
-```
+
+```sh
 cat << EOF > kubelet-csr.json
 {
   "CN": "system:node:ubuntu",
@@ -247,13 +382,14 @@ cat << EOF > kubelet-csr.json
 EOF
 cfssl gencert -ca=kubernetes-ca/kubernetes-ca.pem -ca-key=kubernetes-ca/kubernetes-ca-key.pem --config=kubernetes-ca/kubernetes-ca-config.json -profile=client kubelet-csr.json | cfssljson -bare kubelet
 KUBECONFIG=kubelet.conf kubectl config set-cluster default-cluster --server=https://192.168.121.230:6443 --certificate-authority kubernetes-ca/kubernetes-ca.pem --embed-certs
-KUBECONFIG=kubelet.conf kubectl config set-credentials default-kublet --client-key kubelet-key.pem --client-certificate kubelet.pem --embed-certs
-KUBECONFIG=kubelet.conf kubectl config set-context default-system --cluster default-cluster --user default-kubelet
+KUBECONFIG=kubelet.conf kubectl config set-credentials system:node:ubuntu --client-key kubelet-key.pem --client-certificate kubelet.pem --embed-certs
+KUBECONFIG=kubelet.conf kubectl config set-context default-system --cluster default-cluster --user system:node:ubuntu
 KUBECONFIG=kubelet.conf kubectl config use-context default-system
 ```
 
-Create the controller-manager keypair
-```
+Create the controller-manager kubeconfig
+
+```sh
 cat << EOF > controller-manager-csr.json
 {
   "CN": "system:kube-controller-manager",
@@ -264,10 +400,15 @@ cat << EOF > controller-manager-csr.json
 }
 EOF
 cfssl gencert -ca=kubernetes-ca/kubernetes-ca.pem -ca-key=kubernetes-ca/kubernetes-ca-key.pem --config=kubernetes-ca/kubernetes-ca-config.json -profile=client controller-manager-csr.json | cfssljson -bare controller-manager
+KUBECONFIG=controller-manager.conf kubectl config set-cluster default-cluster --server=https://192.168.121.230:6443 --certificate-authority kubernetes-ca/kubernetes-ca.pem --embed-certs
+KUBECONFIG=controller-manager.conf kubectl config set-credentials default-controller-manager --client-key controller-manager-key.pem --client-certificate controller-manager.pem --embed-certs
+KUBECONFIG=controller-manager.conf kubectl config set-context default-system --cluster default-cluster --user default-controller-manager
+KUBECONFIG=controller-manager.conf kubectl config use-context default-system
 ```
 
-Create the scheduler keypair
-```
+Create the scheduler kubeconfig
+
+```sh
 cat << EOF > scheduler-csr.json
 {
   "CN": "system:kube-scheduler",
@@ -278,4 +419,8 @@ cat << EOF > scheduler-csr.json
 }
 EOF
 cfssl gencert -ca=kubernetes-ca/kubernetes-ca.pem -ca-key=kubernetes-ca/kubernetes-ca-key.pem --config=kubernetes-ca/kubernetes-ca-config.json -profile=client scheduler-csr.json | cfssljson -bare scheduler
+KUBECONFIG=scheduler.conf kubectl config set-cluster default-cluster --server=https://192.168.121.230:6443 --certificate-authority kubernetes-ca/kubernetes-ca.pem --embed-certs
+KUBECONFIG=scheduler.conf kubectl config set-credentials default-scheduler --client-key scheduler-key.pem --client-certificate scheduler.pem --embed-certs
+KUBECONFIG=scheduler.conf kubectl config set-context default-system --cluster default-cluster --user default-scheduler
+KUBECONFIG=scheduler.conf kubectl config use-context default-system
 ```
diff --git a/README.md b/README.md
@@ -138,6 +138,9 @@ To manually generate the certificates:
 * copy apiserver-key.pem to /etc/kubernetes/pki/apiserver.key
 * copy apiserver-kubelet-client.pem to /etc/kubernetes/pki/apiserver-kubelet-client.crt
 * copy apiserver-kubelet-client-key.pem to /etc/kubernetes/pki/apiserver-kubelet-client.key
+* copy sa.pub to /etc/kubernetes/pki/sa.pub
+* copy sa.key to /etc/kubernetes/pki/sa.key
+* copy admin.conf to /etc/kubernetes/admin.conf
 
 
 Generate the apiserver keypair
@@ -183,3 +186,96 @@ EOF
 cfssl gencert -ca=kubernetes-ca/kubernetes-ca.pem -ca-key=kubernetes-ca/kubernetes-ca-key.pem --config=kubernetes-ca/kubernetes-ca-config.json -profile=client apiserver-kubelet-client-csr.json | cfssljson -bare apiserver-kubelet-client
 ```
 
+Create the SA keypair
+```
+openssl genrsa -out sa.key 2048
+openssl rsa -in sa.key -pubout -out sa.pub
+```
+
+Create the front-proxy client keypair
+```
+cat << EOF > front-proxy-client-csr.json
+{
+  "CN": "front-proxy-client",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  }
+}
+EOF
+cfssl gencert -ca=kubernetes-front-proxy-ca/kubernetes-front-proxy-ca.pem -ca-key=kubernetes-front-proxy-ca/kubernetes-front-proxy-ca-key.pem --config=kubernetes-front-proxy-ca/kubernetes-front-proxy-ca-config.json -profile=client front-proxy-client-csr.json | cfssljson -bare front-proxy-client
+```
+
+Create the admin kubeconfig
+```
+cat << EOF > admin-csr.json
+{
+  "CN": "kubernetes-admin",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "O": "system:masters"
+    }
+  ]
+}
+EOF
+cfssl gencert -ca=kubernetes-ca/kubernetes-ca.pem -ca-key=kubernetes-ca/kubernetes-ca-key.pem --config=kubernetes-ca/kubernetes-ca-config.json -profile=client admin-csr.json | cfssljson -bare admin
+KUBECONFIG=admin.conf kubectl config set-cluster default-cluster --server=https://192.168.121.230:6443 --certificate-authority kubernetes-ca/kubernetes-ca.pem --embed-certs
+KUBECONFIG=admin.conf kubectl config set-credentials default-admin --client-key admin-key.pem --client-certificate admin.pem --embed-certs
+KUBECONFIG=admin.conf kubectl config set-context default-system --cluster default-cluster --user default-admin
+KUBECONFIG=admin.conf kubectl config use-context default-system
+```
+
+Create the kubelet kubeconfig
+```
+cat << EOF > kubelet-csr.json
+{
+  "CN": "system:node:ubuntu",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "O": "system:nodes"
+    }
+  ]
+}
+EOF
+cfssl gencert -ca=kubernetes-ca/kubernetes-ca.pem -ca-key=kubernetes-ca/kubernetes-ca-key.pem --config=kubernetes-ca/kubernetes-ca-config.json -profile=client kubelet-csr.json | cfssljson -bare kubelet
+KUBECONFIG=kubelet.conf kubectl config set-cluster default-cluster --server=https://192.168.121.230:6443 --certificate-authority kubernetes-ca/kubernetes-ca.pem --embed-certs
+KUBECONFIG=kubelet.conf kubectl config set-credentials default-kublet --client-key kubelet-key.pem --client-certificate kubelet.pem --embed-certs
+KUBECONFIG=kubelet.conf kubectl config set-context default-system --cluster default-cluster --user default-kubelet
+KUBECONFIG=kubelet.conf kubectl config use-context default-system
+```
+
+Create the controller-manager keypair
+```
+cat << EOF > controller-manager-csr.json
+{
+  "CN": "system:kube-controller-manager",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  }
+}
+EOF
+cfssl gencert -ca=kubernetes-ca/kubernetes-ca.pem -ca-key=kubernetes-ca/kubernetes-ca-key.pem --config=kubernetes-ca/kubernetes-ca-config.json -profile=client controller-manager-csr.json | cfssljson -bare controller-manager
+```
+
+Create the scheduler keypair
+```
+cat << EOF > scheduler-csr.json
+{
+  "CN": "system:kube-scheduler",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  }
+}
+EOF
+cfssl gencert -ca=kubernetes-ca/kubernetes-ca.pem -ca-key=kubernetes-ca/kubernetes-ca-key.pem --config=kubernetes-ca/kubernetes-ca-config.json -profile=client scheduler-csr.json | cfssljson -bare scheduler
+```
diff --git a/README.md b/README.md
@@ -73,6 +73,30 @@ cat << EOF > kubernetes-ca-csr.json
 EOF
 cfssl genkey -initca kubernetes-ca-csr.json | cfssljson -bare kubernetes-ca
 cfssl sign -ca ../root-ca/ca.pem -ca-key ../root-ca/ca-key.pem -config ../root-ca/root-ca-config.json -profile intermediate kubernetes-ca.csr | cfssljson -bare kubernetes-ca
+cfssl print-defaults config kubernetes-ca-config.json
+cd ..
+```
+
+Create the Kubernetes Front Proxy Intermediate CA
+
+```sh
+mkdir kubernetes-front-proxy-ca
+cd kubernetes-front-proxy-ca
+cat << EOF > kubernetes-front-proxy-ca-csr.json
+{
+    "CN": "kubernetes-front-proxy-ca",
+    "key": {
+        "algo": "rsa",
+        "size": 4096
+    },
+    "ca": {
+        "expiry": "26280h"
+    }
+}
+EOF
+cfssl genkey -initca kubernetes-front-proxy-ca-csr.json | cfssljson -bare kubernetes-front-proxy-ca
+cfssl sign -ca ../root-ca/ca.pem -ca-key ../root-ca/ca-key.pem -config ../root-ca/root-ca-config.json -profile intermediate kubernetes-front-proxy-ca.csr | cfssljson -bare kubernetes-front-proxy-ca
+cfssl print-defaults config kubernetes-front-proxy-ca-config.json
 cd ..
 ```
 
@@ -96,4 +120,66 @@ EOF
 cfssl genkey -initca etcd-ca-csr.json | cfssljson -bare etcd-ca
 cfssl sign -ca ../root-ca/ca.pem -ca-key ../root-ca/ca-key.pem -config ../root-ca/root-ca-config.json -profile intermediate etcd-ca.csr | cfssljson -bare etcd-ca
 cd ..
-```
+```
+
+To completely delegate the CAs to kubeadm (and the resulting cluster):
+* copy etcd-ca.pem to /etc/kubernetes/pki/etcd/ca.crt
+* copy etcd-ca-key.pem to /etc/kubernetes/pki/etcd/ca.key
+* copy kubernetes-ca.pem to /etc/kubernetes/pki/ca.crt
+* copy kubernetes-ca-key.pem to /etc/kubernetes/pki/ca.key
+* copy kubernetes-front-proxy-ca.pem to /etc/kubernetes/pki/front-proxy-ca.crt
+* copy kubernetes-front-proxy-ca-key.pem to /etc/kubernetes/pki/front-proxy-ca.key
+
+To manually generate the certificates:
+* copy etcd-ca/etcd-ca.pem to /etc/kubernetes/pki/etcd/ca.crt
+* copy kubernetes-ca/kubernetes-ca.pem to /etc/kubernetes/pki/ca.crt
+* copy kubernetes-front-proxy-ca/kubernetes-front-proxy-ca.pem to /etc/kubernetes/pki/front-proxy-ca.crt
+* copy apiserver.pem to /etc/kubernetes/pki/apiserver.crt
+* copy apiserver-key.pem to /etc/kubernetes/pki/apiserver.key
+* copy apiserver-kubelet-client.pem to /etc/kubernetes/pki/apiserver-kubelet-client.crt
+* copy apiserver-kubelet-client-key.pem to /etc/kubernetes/pki/apiserver-kubelet-client.key
+
+
+Generate the apiserver keypair
+```
+cat << EOF > apiserver-csr.json
+{
+  "CN": "kube-apiserver",
+  "hosts": [
+    "ubuntu",
+    "192.168.121.230",
+    "10.96.0.1",
+    "kubernetes",
+    "kubernetes.default",
+    "kubernetes.default.svc",
+    "kubernetes.default.svc.cluster",
+    "kubernetes.default.svc.cluster.local"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  }
+}
+EOF
+cfssl gencert -ca=kubernetes-ca/kubernetes-ca.pem -ca-key=kubernetes-ca/kubernetes-ca-key.pem --config=kubernetes-ca/kubernetes-ca-config.json -profile=www apiserver-csr.json | cfssljson -bare apiserver
+```
+
+Generate the apiserver-kubelet-client keypair
+```
+cat << EOF > apiserver-kubelet-client-csr.json
+{
+  "CN": "kube-apiserver-kubelet-client",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "O": "system:masters"
+    }
+  ]
+}
+EOF
+cfssl gencert -ca=kubernetes-ca/kubernetes-ca.pem -ca-key=kubernetes-ca/kubernetes-ca-key.pem --config=kubernetes-ca/kubernetes-ca-config.json -profile=client apiserver-kubelet-client-csr.json | cfssljson -bare apiserver-kubelet-client
+```
+
diff --git a/README.md b/README.md
@@ -0,0 +1,99 @@
+# CFSSL as an external CA for non-ha kubeadm intialized clusters
+## Using cfssl to Create an External CA Infrastructure
+
+Install cfssl
+
+```sh
+# This requires an existing Go environment with GOPATH set
+go get -u https://github.com/cloudflare/cfssl
+go get -u https://github.com/cloudflare/cfssljson
+```
+
+Create the root CA
+
+```sh
+mkdir root-ca
+cd root-ca
+cat << EOF > root-ca-config.json
+{
+    "signing": {
+        "profiles": {
+            "intermediate": {
+                "usages": [
+                    "signature",
+                    "digital-signature",
+                    "cert sign",
+                    "crl sign"
+                ],
+                "expiry": "26280h",
+                "ca_constraint": {
+                    "is_ca": true,
+                    "max_path_len": 0,
+                    "max_path_len_zero": true
+                }
+            }
+        }
+    }
+}
+EOF
+cat << EOF > root-ca-csr.json
+{
+    "CN": "my-root-ca",
+    "key": {
+        "algo": "rsa",
+        "size": 4096
+    },
+    "ca": {
+        "expiry": "87600h"
+    }
+}
+EOF
+cfssl genkey -initca root-ca-csr.json | cfssljson -bare ca
+cd ..
+```
+
+The root CA files should be kept offline and only used for creating intermediate CAs.
+
+Create the Kubernetes Intermediate CA
+
+```sh
+mkdir kubernetes-ca
+cd kubernetes-ca
+cat << EOF > kubernetes-ca-csr.json
+{
+    "CN": "kubernetes-ca",
+    "key": {
+        "algo": "rsa",
+        "size": 4096
+    },
+    "ca": {
+        "expiry": "26280h"
+    }
+}
+EOF
+cfssl genkey -initca kubernetes-ca-csr.json | cfssljson -bare kubernetes-ca
+cfssl sign -ca ../root-ca/ca.pem -ca-key ../root-ca/ca-key.pem -config ../root-ca/root-ca-config.json -profile intermediate kubernetes-ca.csr | cfssljson -bare kubernetes-ca
+cd ..
+```
+
+Create the etcd Intermediate CA
+
+```sh
+mkdir etcd-ca
+cd etcd-ca
+cat << EOF > etcd-ca-csr.json
+{
+    "CN": "etcd-ca",
+    "key": {
+        "algo": "rsa",
+        "size": 4096
+    },
+    "ca": {
+        "expiry": "26280h"
+    }
+}
+EOF
+cfssl genkey -initca etcd-ca-csr.json | cfssljson -bare etcd-ca
+cfssl sign -ca ../root-ca/ca.pem -ca-key ../root-ca/ca-key.pem -config ../root-ca/root-ca-config.json -profile intermediate etcd-ca.csr | cfssljson -bare etcd-ca
+cd ..
+```
No results found