Day 21/40
Manage TLS Certificates In a Kubernetes Cluster - Create Certificate Signing Request
Video Link
@piyushsachdeva
Git Repository
My Git Repo
In this part, we're looking at tls
specific for the kubernetes
clusters, how does it working and how we actually create and manage TLS certificate
.
- The CA, Server certificate signing request, issuing the certification, clients have trusted certificate of the server signing by CA, client certificate, server certificate and root certificate in the below image:
(Photo from the video)
(Photo from the video)
(Photo from the video)
As it's shown in the photos, we need certificates for user, client, server and all components in
kubernetes
cluster.So, if when we see
.crt
in a key extension, it's public key or certificate, and when the extension is.key
, it's private key.
(Photo from the video)
Demo
Let's say you are the administrator of a kubernetes
cluster and you need to create user access for new admin user:
1. Create private key
root@localhost:~# openssl genrsa -out adam.key 2048
root@localhost:~# cat adam.key
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC3+5e3V+vG+yCT
...
obyArKL7NDYLDCYDL9u60YNmPw==
-----END PRIVATE KEY-----
2. Create a CertificateSigningRequest using the key
root@localhost:~# openssl req -new -key adam.key -out adam.csr -subj "/CN=adam"
root@localhost:~# cat adam.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICVDCCATwCAQAwDzENMAsGA1UEAwwEYWRhbTCCASIwDQYJKoZIhvcNAQEBBQAD
...
frKCaPO/PvuScKlKT4khh7xI92uqPFrS
-----END CERTIFICATE REQUEST-----
3. Create yaml
file and encode .csr
into base64
and remove the new lines and then replace it into the below yaml
file, request
section.
root@localhost:~# cat adam.csr | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFV...1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==root@localhost:~#
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: adam
spec:
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFV...1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 864000 # 10 days
usages:
- client auth
4. Apply the yaml
file
root@localhost:~# kubectl apply -f adam-csr.yaml
certificatesigningrequest.certificates.k8s.io/adam created
root@localhost:~# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
adam 27s kubernetes.io/kube-apiserver-client kubernetes-admin 10d Pending
root@localhost:~# kubectl describe csr adam
Name: adam
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"adam"},"spec":{"expirationSeconds":864000,"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFV...1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}}
CreationTimestamp: Mon, 22 Jul 2024 17:37:09 +0000
Requesting User: kubernetes-admin
Signer: kubernetes.io/kube-apiserver-client
Requested Duration: 10d
Status: Pending
Subject:
Common Name: adam
Serial Number:
Events: <none>
5. It needs to be approved by CA
, in our case an internal CA
, because of the CONDITION
is in Pendig
state.
root@localhost:~# kubectl certificate approve adam
certificatesigningrequest.certificates.k8s.io/adam approved
root@localhost:~# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
adam 6m3s kubernetes.io/kube-apiserver-client kubernetes-admin 10d Approved,Issued
5. Share the certificate with user
root@localhost:~# kubectl get csr adam -o yaml > adam-issued-cert.yaml
root@localhost:~# cat adam-issued-cert.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"adam"},"spec":{"expirationSeconds":864000,"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRV...lMKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}}
creationTimestamp: "2024-07-22T17:37:09Z"
name: adam
resourceVersion: "2740320"
uid: c0fd62e2-f62a-4742-a7b6-0e0ce9a6e5a7
spec:
expirationSeconds: 864000
groups:
- kubeadm:cluster-admins
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6R...QTy9QdnVTY0tsS1Q0a2hoN3hJOTJ1cVBGclMKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
username: kubernetes-admin
status:
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR5Z0F3SUJBZ0lRVzFSbUg1d...PWlN6d2sxMTJWNTlGa1MwZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
conditions:
- lastTransitionTime: "2024-07-22T17:43:02Z"
lastUpdateTime: "2024-07-22T17:43:02Z"
message: This CSR was approved by kubectl certificate approve.
reason: KubectlApprove
status: "True"
type: Approved
6. Decode the certificate
root@localhost:~# echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR5Z0F3SUJBZ0lRVzFSbUg1...lPWlN6d2sxMTJWNTlGa1MwZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" | base64 -d
-----BEGIN CERTIFICATE-----
MIIC9DCCAdygAwIBAgIQW1RmH5uzz5wY6wI4k6tVMDANBgkqhkiG9w0BAQsFADAV
...
mS5uQo/mZY31y6AFDMpcRsUmgJQye5eKmBu/YOZSzwk112V59FkS0g==
-----END CERTIFICATE-----
Top comments (0)