Kubernetes deployment: CA certificate production

Make CA certificate manually 1. Install CFSSL [root@node-01 ~]# cd /usr/local/src [root@node-01 src]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd...
1. Install CFSSL
2. Initialize cfssl
3. Create JSON configuration file to generate CA file
4. Create JSON configuration file to generate CA certificate signing request (CSR)
5. Generate CA certificate (ca.pem) and key (CA key. PEM)
6. Distribution certificate
Make CA certificate manually

1. Install CFSSL

[root@node-01 ~]# cd /usr/local/src [root@node-01 src]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 [root@node-01 src]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 [root@node-01 src]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 [root@node-01 src]# chmod +x cfssl* [root@node-01 src]# mv cfssl-certinfo_linux-amd64 /data/kubernetes/bin/cfssl-certinfo [root@node-01 src]# mv cfssljson_linux-amd64 /data/kubernetes/bin/cfssljson [root@node-01 src]# mv cfssl_linux-amd64 /data/kubernetes/bin/cfssl //Copy cfssl command file to all nodes [root@node-01 ~]# scp /data/kubernetes/bin/cfssl* 10.31.90.201: /data/kubernetes/bin [root@node-01 ~]# scp /data/kubernetes/bin/cfssl* 10.31.90.202: /data/kubernetes/bin //Add / data/kubernetes/bin to the environment variable [root@node-01 ~]# echo 'PATH=/data/kubernetes/bin:$PATH' >>/etc/profile [root@node-01 ~]# source /etc/profile

2. Initialize cfssl

Production initial configuration files, we change according to these files

[root@node-01 src]# mkdir ssl && cd ssl [root@node-01 ssl]# cfssl print-defaults config > config.json [root@node-01 ssl]# cfssl print-defaults csr > csr.json

3. Create JSON configuration file to generate CA file

server auth indicates that the client can use the ca to verify the certificate provided by the server

client auth means that the server can use the ca to verify the certificate provided by the client

[root@node-01 ssl]# vim ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } }

4. Create JSON configuration file to generate CA certificate signing request (CSR)

[root@node-01 ssl]# vim ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }

5. Generate CA certificate (ca.pem) and key (CA key. PEM)

[root@node-01 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca [root@node-01 ssl]# ls -l ca* -rw-r--r-- 1 root root 292 Dec 24 16:11 ca-config.json -rw-r--r-- 1 root root 1001 Dec 24 16:15 ca.csr -rw-r--r-- 1 root root 208 Dec 24 16:14 ca-csr.json -rw------- 1 root root 1679 Dec 24 16:15 ca-key.pem -rw-r--r-- 1 root root 1359 Dec 24 16:15 ca.pem

6. Distribution certificate

[root@node-01 ssl]# cp ca.csr ca.pem ca-key.pem ca-config.json /data/kubernetes/ssl SCP Certificate to all nodes [root@node-01 ssl]# for n in `seq 202 206`;do scp ca.csr ca.pem ca-key.pem ca-config.json [email protected].$n:/data/kubernetes/ssl;done ca.cs

In the future, all the installation documents will be updated. If you think I wrote well, I hope you will pay more attention to it. Thank you very much!

3 December 2019, 10:42 | Views: 1500

Add new comment

For adding a comment, please log in
or create account

0 comments