Automatically provision and manage TLS certificates in Kubernetes

Automatically provision and manage TLS certificates in Kubernetes

Scenario Context

We want to automate and manage certificates used within our K8s clusters.

Tutorial to Follow

Steps to do:

  • Prerequisite
    • ACME Issuer
      • ACME protocol
      • DNS-01 challenge
      • HTTP-01 challenge
    • or CA Issuer
    • or Vault Issuer
  • Installation

Helm tool installing in K8s

This is an instruction for installing “Tiller” portion of Helm on K8s cluster server side.

For a proper production environment, we need guaranteeing below 2 things: 1) Based on K8s RBAC, grant tiller cluster management permission. For first trial, we isolate it within my-namespace namespace. 2) TLS secure connection between Helm client (local CLI) and Helm server (Tiller) on K8s cluster.

RBAC role binding

1
kubectl apply -f tiller-rbac.yaml

[Download tiller-rbac.yaml][1] [Download tiller-server.yaml][2]

Client side self-signed SSL Between Helm and Tiller

Tiller requires that the client certificate be validated by its CA.

  • Create a private CA that is used to issue certificates for Tiller clients and servers. ``` openssl genrsa -out ./ca.key.pem 4096

openssl req -key ca.key.pem -new -x509 -days 7300 -sha256 -out ca.cert.pem -extensions v3_ca —– Country Name (2 letter code) [AU]:IE State or Province Name (full name) [Some-State]:Leinster Locality Name (eg, city) []:Dublin Organization Name (eg, company) [Internet Widgits Pty Ltd]:FamunityNet Organizational Unit Name (eg, section) []:RnD Common Name (e.g. server FQDN or YOUR name) []:helm-tiller
Email Address []:email@famunity.net

1
2
* Create a certificate for Tiller

Generate Key

openssl genrsa -out ./tiller.key.pem 4096

Create Certificates from the Key

openssl req -key tiller.key.pem -new -sha256 -out tiller.csr.pem —– Country Name (2 letter code) [AU]:IE State or Province Name (full name) [Some-State]:Leinster Locality Name (eg, city) []:Dublin Organization Name (eg, company) [Internet Widgits Pty Ltd]:FamunityNet Organizational Unit Name (eg, section) []:RnD Common Name (e.g. server FQDN or YOUR name) []:helm-tiller-server Email Address []:email@famunity.net Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []:

Sign the CSR with the CA certificate we created

echo subjectAltName=IP:127.0.0.1 > extfile.cnf openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in tiller.csr.pem -out tiller.cert.pem -days 730 -extfile extfile.cnf

1
2
* Create a certificate for the Helm client

Generate Key

openssl genrsa -out ./helm.key.pem 4096

Create Certificates from the Key

openssl req -key helm.key.pem -new -sha256 -out helm.csr.pem —– Country Name (2 letter code) [AU]:IE State or Province Name (full name) [Some-State]:Leinster Locality Name (eg, city) []:Dublin Organization Name (eg, company) [Internet Widgits Pty Ltd]:FamunityNet Organizational Unit Name (eg, section) []:RnD Common Name (e.g. server FQDN or YOUR name) []:helm-tiller-client Email Address []:email@famunity.net Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []:

Sign the CSR with the CA certificate we created

openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in helm.csr.pem -out helm.cert.pem -days 730

1
2
#### Create a Tiller server in K8s, that uses the certificates and RBAC account

helm init –dry-run –debug \ –service-account=tiller \ –tiller-namespace=iot-proxy \ –tiller-tls \ –tiller-tls-verify \ –tiller-tls-cert ./tiller.cert.pem \ –tiller-tls-key ./tiller.key.pem \ –tls-ca-cert ca.cert.pem

1
2
3
#### Configure the Helm client, to use the CA and client-side certificate 
>The shortcut is to move the key, cert, and CA into $HELM_HOME:

cp ca.cert.pem $(helm home)/ca.pem cp helm.cert.pem $(helm home)/cert.pem cp helm.key.pem $(helm home)/key.pem

1
2
#### Now, you can talk with K8s from local Helm client by secure TLS connection

list installations

helm ls –tiller-namespace iot-proxy –tls

list all release of cert-manager

helm ls –all cert-manager –tiller-namespace iot-proxy –tls

installing a K8s component

helm install stable/cert-manager \ –name cert-manager \ –namespace iot-proxy \ –tls \ –tiller-namespace iot-proxy

delete a release installation

helm del –purge cert-manager –tiller-namespace iot-proxy –tls helm del –purge cert-manager ```

Create Chart Repository HowTo

Create Chart for component HowTo

Issues:

Let’s Encrypt Rate Limits

Reference:

  • DNS-01 challenge with Google CloudDNS API call - (Certbot)
  • Kubernetes NGINX Ingress controller, kubernetes/ingress-nginx [1]:/assets/download/tiller-rbac.yaml [2]:/assets/download/tiller-server.yaml

comments powered by Disqus