9

I have created a cluster on aws using kops.

However I am unable to find the file used as/by the certificate authority for spawning off client certs.

Does kops create such a thing by default?

If so, what is the recommended process for creating client certs?

The kops documentation is not very clear about this.

pkaramol
  • 16,451
  • 43
  • 149
  • 324

1 Answers1

10

I've done it like this in the past:

  1. Download the kops-generated CA certificate and signing key from S3:
    • s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/private/ca/*.key
    • s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/issued/ca/*.crt
  2. Generate a client key: openssl genrsa -out client-key.pem 2048

  3. Generate a CSR:

    openssl req -new \
  -key client-key.pem \
  -out client-csr.pem \
  -subj "/CN=<CLIENT_CN>/O=dev"`

  4. Generate a client certificate:

    openssl x509 -req \
  -in client-csr.pem \
  -CA <PATH_TO_DOWNLOADED_CA_CERT> \
  -CAkey <PATH_TO_DOWNLOADED_CA_KEY> \
  -CAcreateserial \
  -out client-crt.pem \
  -days 10000
  5. Base64-encode the client key, client certificate, and CA certificate, and populate those values in a config.yml, e.g. this
  6. Distribute the populated config.yml to your developers.

5 and 6 can obviously be distributed by whatever means you want, don't need to make the config.yml for your developers.

Amit Kumar Gupta
  • 17,184
  • 7
  • 46
  • 64
  • This is very helpful; thanks; is it considered good practice to keep a common `config.yml` for all devs or separate (each with its own key/cert) for each one? – pkaramol Jan 09 '18 at 18:46
  • 1
    I could create a separate config.yml with its own key/cert for each dev. You can use Organization information in the cert to map to groups in K8s RBAC, so you have more flexibility and simplicity around permission management. If you're not using RBAC or any sort of special authorization mode, however, then it's a bit of a moot point. – Amit Kumar Gupta Jan 09 '18 at 21:07
  • thx; do you by any chance happen to know why a) the `certificate-authority-data` entry in my `~/.kube/config` and b) the contents of `s3:////pki/issued/ca/*.crt` are different? shouldn't there be just one `CA` ? – pkaramol Jan 10 '18 at 08:30
  • Following up here: https://stackoverflow.com/questions/48183802/kubernetes-multiple-certficiation-authority-certificates to avoid extended discussion and since perhaps this is a different issue. – pkaramol Jan 10 '18 at 09:10