From: stephan48 Date: Mon, 27 Mar 2023 21:38:27 +0000 (+0200) Subject: (no commit message) X-Git-Url: https://blog.stejau.de/gitweb/gitweb.cgi?a=commitdiff_plain;h=64f67684f6c59ce1673a430fdd50d46ff9985e89;p=stejau-blog.git --- diff --git a/posts/2023-03-27-k8s-cluster-step-ca-from-scratch.mdwn b/posts/2023-03-27-k8s-cluster-step-ca-from-scratch.mdwn new file mode 100644 index 0000000..ec6216b --- /dev/null +++ b/posts/2023-03-27-k8s-cluster-step-ca-from-scratch.mdwn @@ -0,0 +1,146 @@ +.... + +This is just a command by command play by play for now, i will add context and infos later(TM). + +- root$ denotes stuff done as root +- $ denotes stuff done as normal user + + +``` + +root$ apt install easy-rsa + +$ make-cadir talos1-step-ca-autocert +$ cd talos1-step-ca-autocert +$ find +. +./vars +./x509-types +./easyrsa +./openssl-easyrsa.cnf +$ ./easyrsa init-pki +* Notice: + + init-pki complete; you may now create a CA or requests. + + Your newly created PKI dir is: + * /home/kind01/talos1-step-ca-autocert/pki + +* Notice: + IMPORTANT: Easy-RSA 'vars' file has now been moved to your PKI above. + +$ vim pki/vars +set_var EASYRSA_DN "org" +set_var EASYRSA_REQ_COUNTRY "DE" +set_var EASYRSA_REQ_PROVINCE "Internet" +set_var EASYRSA_REQ_CITY "Internet" +set_var EASYRSA_REQ_ORG "XX" +set_var EASYRSA_REQ_EMAIL "XX" +set_var EASYRSA_REQ_OU "K8s OU" +set_var EASYRSA_ALGO ed +set_var EASYRSA_CURVE ed25519 + +$ mkdir pki/x509-types +$ find x509-types + +$ ./easyrsa build-ca +* Notice: +Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars + +* Notice: +Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023) + + +Enter New CA Key Passphrase: +Re-Enter New CA Key Passphrase: +Using configuration from /home/kind01/talos1-step-ca-autocert/pki/ef8549d7/temp.229d8fce +Enter PEM pass phrase: +Verifying - Enter PEM pass phrase: +----- +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) [DE]: +State or Province Name (full name) [Internet]: +Locality Name (eg, city) [Internet]: +Organization Name (eg, company) [SteJau]: XX +Organizational Unit Name (eg, section) [K8s OU]: +Common Name (eg: your user, host, or server name) [Easy-RSA CA]:root-ca.example.org +Email Address [XX]: + +$ vim pki/x509-types/k8s_ca +# CA_PATH_LEN for CA path length limits. You could also do this here +# manually as in the following example in place of the existing line: +# +# basicConstraints = CA:TRUE, pathlen:0 + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = cRLSign, keyCertSign + +# this magic bit creates a subca which is not allowed to sign other CAs - nice fun :) +basicConstraints = critical, CA:TRUE, pathlen:0 +keyUsage = critical, keyCertSign, cRLSign +subjectKeyIdentifier = hash +nameConstraints = critical,@nameconsts +subjectAltName = critical,@sans + +[sans] +# configure all the namespaces & aliases here - atleast what you used for the commonname of the subca(to be created) and the CA alias in the cluster +DNS.0=cluster-ca.example.org +# helm-release-name.namespace.svc.cluster-local +DNS.1=step-certificates-autocert.step-autocert.svc.cluster.local + +[nameconsts] +# apparently ordered numbers are not needed :P +permitted;DNS.0=.kubecluster.example.org +permitted;DNS.2=kubecluster.example.org +# repeat the DNS.1 SAN here in the nameconstraint +permitted;DNS.3=step-certificates-autocert.step-autocert.svc.cluster.local +# allow it to build certs for all nodenames in the cluster +permitted;DNS.4=kubemaster.example.org +permitted;DNS.5=kubenode01.example.org +permitted;DNS.6=kubenode02.example.org +:wq + +# as this is a specialized usecase we will use the following instead +# this ca is just a testcase for providing local certs which we will then turn into ssh host certs along the way. +# my normal ca is too restricted and not really the perfect usecase for this, so we will use a specialised setup +# like here(i promise i will write a blogpost about the big picture soon(TM)): + +$ vim pki/x509-types/k8s_ca +# X509 extensions for a ca + +# Note that basicConstraints will be overridden by Easy-RSA when defining a +# CA_PATH_LEN for CA path length limits. You could also do this here +# manually as in the following example in place of the existing line: +# +# basicConstraints = CA:TRUE, pathlen:1 + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = cRLSign, keyCertSign + +basicConstraints = critical, CA:TRUE, pathlen:0 +keyUsage = critical, keyCertSign, cRLSign +subjectKeyIdentifier = hash +nameConstraints = critical,@nameconsts +subjectAltName = critical,@sans + +[sans] +DNS.0=autocert-ca.kubecluster.example.org +DNS.1=step-certificates-autocert.step-ca-autocert.svc.cluster.local + +[nameconsts] +permitted;DNS.0=.svc.cluster.local +permitted;DNS.1=svc.cluster.local +permitted;DNS.2=svc +permitted;DNS.3=.svc +permitted;DNS.4=step-certificates-autocert.step-ca-autocert.svc.cluster.local +``` + +its not the end yet :)