(no commit message)

diff --git a/posts/2023-03-27-k8s-cluster-step-ca-from-scratch.mdwn b/posts/2023-03-27-k8s-cluster-step-ca-from-scratch.mdwn
new file mode 100644 (file)
index 0000000..ec6216b
--- /dev/null
+++ b/posts/2023-03-27-k8s-cluster-step-ca-from-scratch.mdwn
@@ -0,0 +1,146 @@
+....
+
+This is just a command by command play by play for now, i will add context and infos later(TM).
+
+- root$ denotes stuff done as root
+- $ denotes stuff done as normal user
+
+
+```
+
+root$ apt install easy-rsa
+
+$ make-cadir talos1-step-ca-autocert
+$ cd talos1-step-ca-autocert 
+$ find
+.
+./vars
+./x509-types
+./easyrsa
+./openssl-easyrsa.cnf
+$ ./easyrsa init-pki
+* Notice:
+
+  init-pki complete; you may now create a CA or requests.
+
+  Your newly created PKI dir is:
+  * /home/kind01/talos1-step-ca-autocert/pki
+
+* Notice:
+  IMPORTANT: Easy-RSA 'vars' file has now been moved to your PKI above.
+
+$ vim pki/vars
+set_var EASYRSA_DN      "org"
+set_var EASYRSA_REQ_COUNTRY     "DE"
+set_var EASYRSA_REQ_PROVINCE    "Internet"
+set_var EASYRSA_REQ_CITY        "Internet"
+set_var EASYRSA_REQ_ORG "XX"
+set_var EASYRSA_REQ_EMAIL       "XX"
+set_var EASYRSA_REQ_OU          "K8s OU"
+set_var EASYRSA_ALGO            ed
+set_var EASYRSA_CURVE           ed25519
+
+$ mkdir pki/x509-types
+$ find x509-types
+
+$ ./easyrsa build-ca
+* Notice:
+Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars
+
+* Notice:
+Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
+
+
+Enter New CA Key Passphrase:
+Re-Enter New CA Key Passphrase:
+Using configuration from /home/kind01/talos1-step-ca-autocert/pki/ef8549d7/temp.229d8fce
+Enter PEM pass phrase:
+Verifying - Enter PEM pass phrase:
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [DE]:
+State or Province Name (full name) [Internet]:
+Locality Name (eg, city) [Internet]:
+Organization Name (eg, company) [SteJau]: XX
+Organizational Unit Name (eg, section) [K8s OU]:
+Common Name (eg: your user, host, or server name) [Easy-RSA CA]:root-ca.example.org
+Email Address [XX]:
+
+$ vim pki/x509-types/k8s_ca
+# CA_PATH_LEN for CA path length limits. You could also do this here
+# manually as in the following example in place of the existing line:
+#
+# basicConstraints = CA:TRUE, pathlen:0
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = cRLSign, keyCertSign
+
+# this magic bit creates a subca which is not allowed to sign other CAs - nice fun :)
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage = critical, keyCertSign, cRLSign
+subjectKeyIdentifier = hash
+nameConstraints = critical,@nameconsts
+subjectAltName = critical,@sans
+
+[sans]
+# configure all the namespaces & aliases here - atleast what you used for the commonname of the subca(to be created) and the CA alias in the cluster
+DNS.0=cluster-ca.example.org
+# helm-release-name.namespace.svc.cluster-local
+DNS.1=step-certificates-autocert.step-autocert.svc.cluster.local
+
+[nameconsts]
+# apparently ordered numbers are not needed :P
+permitted;DNS.0=.kubecluster.example.org
+permitted;DNS.2=kubecluster.example.org
+# repeat the DNS.1 SAN here in the nameconstraint
+permitted;DNS.3=step-certificates-autocert.step-autocert.svc.cluster.local
+# allow it to build certs for all nodenames in the cluster
+permitted;DNS.4=kubemaster.example.org
+permitted;DNS.5=kubenode01.example.org
+permitted;DNS.6=kubenode02.example.org
+:wq
+
+# as this is a specialized usecase we will use the following instead
+# this ca is just a testcase for providing local certs which we will then turn into ssh host certs along the way.
+# my normal ca is too restricted and not really the perfect usecase for this, so we will use a specialised setup
+# like here(i promise i will write a blogpost about the big picture soon(TM)):
+
+$ vim pki/x509-types/k8s_ca
+# X509 extensions for a ca
+
+# Note that basicConstraints will be overridden by Easy-RSA when defining a
+# CA_PATH_LEN for CA path length limits. You could also do this here
+# manually as in the following example in place of the existing line:
+#
+# basicConstraints = CA:TRUE, pathlen:1
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = cRLSign, keyCertSign
+
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage = critical, keyCertSign, cRLSign
+subjectKeyIdentifier = hash
+nameConstraints = critical,@nameconsts
+subjectAltName = critical,@sans
+
+[sans]
+DNS.0=autocert-ca.kubecluster.example.org
+DNS.1=step-certificates-autocert.step-ca-autocert.svc.cluster.local
+
+[nameconsts]
+permitted;DNS.0=.svc.cluster.local
+permitted;DNS.1=svc.cluster.local
+permitted;DNS.2=svc
+permitted;DNS.3=.svc
+permitted;DNS.4=step-certificates-autocert.step-ca-autocert.svc.cluster.local
+```
+
+its not the end yet :)