CFSSL自签TLS证书
1.下载cfssl
mkdir ~/bin
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O cfssl -P ~/bin/
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O cfssljson -P ~/bin/
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O cfssl-certinfo -P ~/bin/
chmod +x ~/bin/{cfssl,cfssljson}
export PATH=$PATH:~/bin
2.初始化CA证书(certificate authority)
mkdir ~/cfssl
cd ~/cfssl
#ca机构配置:有效期10年
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "438000h"
},
"profiles": {
"kubernetes": {
"expiry": "438000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
#ca机构配置: 机构名称Comman Name,所在地Country国家, State省, Locality市
#"CN":Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name)
#"O":Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group)
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ChongQing",
"L": "ChongQing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
#向ca机构申请:证书注册 (中国,北京省,北京市), 提供服务的ip
# Organization Name, Common Name
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.201.128",
"192.168.201.129",
"192.168.201.130",
"10.255.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ChongQing",
"ST": "ChongQing",
"O":"k8s",
"OU": "System"
}
]
}
EOF
3.容器内的证书类型
类型 | 说明 |
---|---|
client certificate | 客户端用该证书与服务端进行认证,例如:etcdctl、etcd proxy、or docker clients; |
server certificate | 用户服务端校验客户端请求,例如: docker server、kube-apiserver; |
peer certificate | etcd集群member节点之间通讯; |
4.证书生成
#用cfssl工具,生成证书:
mkdir ssl ; cd ssl
cfssl gencert -initca ../ca-csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=../ca-config.json -profile=kubernetes ../server-csr.json | cfssljson -bare server
# ls *pem
#ca-key.pem ca.pem server-key.pem server.pem