Automatically provision and manage TLS certificates in Kubernetes
Scenario Context
We want to automate and manage certificates used within our K8s clusters.
Tutorial to Follow
- Prerequisite Tutorials
- Wiki Getting Started
- kubernetes-base-config-for-nginx-ingress-cert-manager-helm
Steps to do:
- Prerequisite
- ACME Issuer
- ACME protocol
- DNS-01 challenge
- HTTP-01 challenge
- or CA Issuer
- or Vault Issuer
- ACME Issuer
- Installation
- Helm and Tiller (Installing guide)
- Helm has two parts: a client (helm) and a server (tiller)
- Charts are Helm packages that contain at least two things:
- A description of the package (Chart.yaml)
- One or more templates, which contain Kubernetes manifest files
- Securing your Tiller Installation
- RBAC based Tiller
- Helm and Tiller (Installing guide)
Helm tool installing in K8s
This is an instruction for installing “Tiller” portion of Helm on K8s cluster server side.
For a proper production environment, we need guaranteeing below 2 things:
1) Based on K8s RBAC, grant tiller cluster management permission. For first trial, we isolate it within my-namespace namespace.
2) TLS secure connection between Helm client (local CLI) and Helm server (Tiller) on K8s cluster.
RBAC role binding
1
kubectl apply -f tiller-rbac.yaml
[Download tiller-rbac.yaml][1] [Download tiller-server.yaml][2]
Client side self-signed SSL Between Helm and Tiller
Tiller requires that the client certificate be validated by its CA.
- Create a private CA that is used to issue certificates for Tiller clients and servers. ``` openssl genrsa -out ./ca.key.pem 4096
openssl req -key ca.key.pem -new -x509 -days 7300 -sha256 -out ca.cert.pem -extensions v3_ca
—–
Country Name (2 letter code) [AU]:IE
State or Province Name (full name) [Some-State]:Leinster
Locality Name (eg, city) []:Dublin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FamunityNet
Organizational Unit Name (eg, section) []:RnD
Common Name (e.g. server FQDN or YOUR name) []:helm-tiller
Email Address []:email@famunity.net
1
2
* Create a certificate for Tiller
Generate Key
openssl genrsa -out ./tiller.key.pem 4096
Create Certificates from the Key
openssl req -key tiller.key.pem -new -sha256 -out tiller.csr.pem —– Country Name (2 letter code) [AU]:IE State or Province Name (full name) [Some-State]:Leinster Locality Name (eg, city) []:Dublin Organization Name (eg, company) [Internet Widgits Pty Ltd]:FamunityNet Organizational Unit Name (eg, section) []:RnD Common Name (e.g. server FQDN or YOUR name) []:helm-tiller-server Email Address []:email@famunity.net Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []:
Sign the CSR with the CA certificate we created
echo subjectAltName=IP:127.0.0.1 > extfile.cnf openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in tiller.csr.pem -out tiller.cert.pem -days 730 -extfile extfile.cnf
1
2
* Create a certificate for the Helm client
Generate Key
openssl genrsa -out ./helm.key.pem 4096
Create Certificates from the Key
openssl req -key helm.key.pem -new -sha256 -out helm.csr.pem —– Country Name (2 letter code) [AU]:IE State or Province Name (full name) [Some-State]:Leinster Locality Name (eg, city) []:Dublin Organization Name (eg, company) [Internet Widgits Pty Ltd]:FamunityNet Organizational Unit Name (eg, section) []:RnD Common Name (e.g. server FQDN or YOUR name) []:helm-tiller-client Email Address []:email@famunity.net Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []:
Sign the CSR with the CA certificate we created
openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in helm.csr.pem -out helm.cert.pem -days 730
1
2
#### Create a Tiller server in K8s, that uses the certificates and RBAC account
helm init –dry-run –debug \ –service-account=tiller \ –tiller-namespace=iot-proxy \ –tiller-tls \ –tiller-tls-verify \ –tiller-tls-cert ./tiller.cert.pem \ –tiller-tls-key ./tiller.key.pem \ –tls-ca-cert ca.cert.pem
1
2
3
#### Configure the Helm client, to use the CA and client-side certificate
>The shortcut is to move the key, cert, and CA into $HELM_HOME:
cp ca.cert.pem $(helm home)/ca.pem cp helm.cert.pem $(helm home)/cert.pem cp helm.key.pem $(helm home)/key.pem
1
2
#### Now, you can talk with K8s from local Helm client by secure TLS connection
list installations
helm ls –tiller-namespace iot-proxy –tls
list all release of cert-manager
helm ls –all cert-manager –tiller-namespace iot-proxy –tls
installing a K8s component
helm install stable/cert-manager \ –name cert-manager \ –namespace iot-proxy \ –tls \ –tiller-namespace iot-proxy
delete a release installation
helm del –purge cert-manager –tiller-namespace iot-proxy –tls helm del –purge cert-manager ```
Create Chart Repository HowTo
Create Chart for component HowTo
Issues:
Reference:
- DNS-01 challenge with Google CloudDNS API call - (Certbot)
- Kubernetes NGINX Ingress controller, kubernetes/ingress-nginx [1]:/assets/download/tiller-rbac.yaml [2]:/assets/download/tiller-server.yaml
Never miss a story from us, subscribe to our newsletter