Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@ananace

ananace/README.md

Last active January 28, 2018 19:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ananace/2b25e204ed4ccfb60bf1f43910cc8fec to your computer and use it in GitHub Desktop.
Save ananace/2b25e204ed4ccfb60bf1f43910cc8fec to your computer and use it in GitHub Desktop.
Download ZIP
Puppet SSL certs example for Kubernetes
Raw
README.md

Kubernetes API cert with Puppet CA

Usage

  • Create the folder /etc/puppetlabs/puppet/ssl/manual_ca
  • Add the contents of the gist into there
  • Run kubernetes-cert.sh
  • Deploy the generated cert and private key onto your K8s master.

Not the nicest solution, but it means being able to use the Puppet CA.

Raw
kubernetes-api.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /var/lib/puppet/ssl/manual_ca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = /var/lib/puppet/ssl/ca/ca_crt.pem
serial = $dir/serial
crl = /var/lib/puppet/ssl/ca/ca_crl.pem
private_key = /var/lib/puppet/ssl/ca/ca_key.pem
RANDFILE = $dir/ca/.rand
default_md = sha256
policy = policy_any
unique_subject = no
[ policy_any ]
countryName = supplied
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = Locality
organizationName = Org
organizationalUnitName = Me
commonName = hostname
[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = kubernetes.service.discover
DNS.6 = host.example.com
IP.1 = 10.255.0.1
IP.2 = 1.2.3.4
Raw
kubernetes-cert.sh
#!/bin/sh
set -exu
cd /etc/puppetlabs/puppet/ssl/manual_ca
mkdir -p certificate_requests certs private_keys
[ -f private_keys/kubernetes-api.key ] || openssl genrsa -out private_keys/kubernetes-api.key 2048
openssl req -new -key private_keys/kubernetes-api.key -out certificate_requests/kubernetes-api.csr -config kubernetes-api.cnf
openssl x509 -req -in certificate_requests/kubernetes-api.csr -CA /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -CAkey /etc/puppetlabs/puppet/ssl/ca/ca_key.pem -CAcreateserial -out certs/kubernetes-api.pem -days 3000 -extensions v3_req -extfile kubernetes-api.cnf
chown puppet:puppet -R .
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment