Sina Tavakkol

Posted on Jul 24

40 Days Of Kubernetes (21/40)

#kubernetes #40daysofkubernetes

Day 21/40

Manage TLS Certificates In a Kubernetes Cluster - Create Certificate Signing Request

Video Link
@piyushsachdeva
Git Repository
My Git Repo

In this part, we're looking at tls specific for the kubernetes clusters, how does it working and how we actually create and manage TLS certificate.

The CA, Server certificate signing request, issuing the certification, clients have trusted certificate of the server signing by CA, client certificate, server certificate and root certificate in the below image:

(Photo from the video)

As it's shown in the photos, we need certificates for user, client, server and all components in kubernetes cluster.
So, if when we see .crt in a key extension, it's public key or certificate, and when the extension is .key, it's private key.

(Photo from the video)

Demo

Let's say you are the administrator of a kubernetes cluster and you need to create user access for new admin user:

1. Create private key

root@localhost:~# openssl genrsa -out adam.key 2048
root@localhost:~# cat adam.key
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC3+5e3V+vG+yCT
...
obyArKL7NDYLDCYDL9u60YNmPw==
-----END PRIVATE KEY-----

2. Create a CertificateSigningRequest using the key

root@localhost:~# openssl req -new -key adam.key -out adam.csr -subj "/CN=adam"
root@localhost:~# cat adam.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICVDCCATwCAQAwDzENMAsGA1UEAwwEYWRhbTCCASIwDQYJKoZIhvcNAQEBBQAD
...
frKCaPO/PvuScKlKT4khh7xI92uqPFrS
-----END CERTIFICATE REQUEST-----

3. Create `yaml` file and encode `.csr` into `base64` and remove the new lines and then replace it into the below `yaml` file, `request` section.

root@localhost:~# cat adam.csr | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFV...1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==root@localhost:~#

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: adam
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFV...1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 864000  # 10 days
  usages:
  - client auth

4. Apply the `yaml` file

root@localhost:~# kubectl apply -f adam-csr.yaml
certificatesigningrequest.certificates.k8s.io/adam created
root@localhost:~# kubectl get csr
NAME   AGE   SIGNERNAME                            REQUESTOR          REQUESTEDDURATION   CONDITION
adam   27s   kubernetes.io/kube-apiserver-client   kubernetes-admin   10d                 Pending

root@localhost:~# kubectl describe csr adam
Name:         adam
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"adam"},"spec":{"expirationSeconds":864000,"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFV...1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}}

CreationTimestamp:   Mon, 22 Jul 2024 17:37:09 +0000
Requesting User:     kubernetes-admin
Signer:              kubernetes.io/kube-apiserver-client
Requested Duration:  10d
Status:              Pending
Subject:
         Common Name:    adam
         Serial Number:
Events:  <none>

5. It needs to be approved by `CA`, in our case an internal `CA`, because of the `CONDITION` is in `Pendig` state.

root@localhost:~# kubectl certificate approve adam
certificatesigningrequest.certificates.k8s.io/adam approved
root@localhost:~# kubectl get csr
NAME   AGE    SIGNERNAME                            REQUESTOR          REQUESTEDDURATION   CONDITION
adam   6m3s   kubernetes.io/kube-apiserver-client   kubernetes-admin   10d                 Approved,Issued

5. Share the certificate with user

root@localhost:~# kubectl get csr adam -o yaml > adam-issued-cert.yaml
root@localhost:~# cat adam-issued-cert.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"adam"},"spec":{"expirationSeconds":864000,"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRV...lMKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}}
  creationTimestamp: "2024-07-22T17:37:09Z"
  name: adam
  resourceVersion: "2740320"
  uid: c0fd62e2-f62a-4742-a7b6-0e0ce9a6e5a7
spec:
  expirationSeconds: 864000
  groups:
  - kubeadm:cluster-admins
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6R...QTy9QdnVTY0tsS1Q0a2hoN3hJOTJ1cVBGclMKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
  username: kubernetes-admin
status:
  certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR5Z0F3SUJBZ0lRVzFSbUg1d...PWlN6d2sxMTJWNTlGa1MwZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  conditions:
  - lastTransitionTime: "2024-07-22T17:43:02Z"
    lastUpdateTime: "2024-07-22T17:43:02Z"
    message: This CSR was approved by kubectl certificate approve.
    reason: KubectlApprove
    status: "True"
    type: Approved

6. Decode the certificate

root@localhost:~# echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR5Z0F3SUJBZ0lRVzFSbUg1...lPWlN6d2sxMTJWNTlGa1MwZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" | base64 -d
-----BEGIN CERTIFICATE-----
MIIC9DCCAdygAwIBAgIQW1RmH5uzz5wY6wI4k6tVMDANBgkqhkiG9w0BAQsFADAV
...
mS5uQo/mZY31y6AFDMpcRsUmgJQye5eKmBu/YOZSzwk112V59FkS0g==
-----END CERTIFICATE-----

source
Another demo

DEV Community

40 Days Of Kubernetes (21/40)

Day 21/40

Manage TLS Certificates In a Kubernetes Cluster - Create Certificate Signing Request

Demo

1. Create private key

2. Create a CertificateSigningRequest using the key

3. Create `yaml` file and encode `.csr` into `base64` and remove the new lines and then replace it into the below `yaml` file, `request` section.

4. Apply the `yaml` file

5. It needs to be approved by `CA`, in our case an internal `CA`, because of the `CONDITION` is in `Pendig` state.

5. Share the certificate with user

6. Decode the certificate

Top comments (0)

Read next

Designing a fault-tolerant etcd cluster

Deploying a Complete ASP.NET Framework Web Application on Amazon EKS

Modern Traffic Management with Gateway API in Kubernetes

How to Fix Kubernetes Node Disk Pressure

Day 21/40

Manage TLS Certificates In a Kubernetes Cluster - Create Certificate Signing Request

Demo

1. Create private key

2. Create a CertificateSigningRequest using the key

3. Create yaml file and encode .csr into base64 and remove the new lines and then replace it into the below yaml file, request section.

4. Apply the yaml file

5. It needs to be approved by CA, in our case an internal CA, because of the CONDITION is in Pendig state.

5. Share the certificate with user

6. Decode the certificate

Read next

Designing a fault-tolerant etcd cluster

Deploying a Complete ASP.NET Framework Web Application on Amazon EKS

Modern Traffic Management with Gateway API in Kubernetes

How to Fix Kubernetes Node Disk Pressure

3. Create `yaml` file and encode `.csr` into `base64` and remove the new lines and then replace it into the below `yaml` file, `request` section.

4. Apply the `yaml` file

5. It needs to be approved by `CA`, in our case an internal `CA`, because of the `CONDITION` is in `Pendig` state.