Kubernetes the Hard Way pt: 2

Today is TLS certification day. I’m preparing all of the TLS certificates for the Kubernetes cluster.

By this point in the process, you should be able to ping each node of the cluster, have ssh keys setup, and the basic client tools needed for the k8s cluster. I have created a some ansible playbooks and ansible roles to assist the provisioning process.

I’ve created the TLS certs manually and generally following the steps in the guide.The only modifications I made is using DNS names instead of IP addresses.

I have a virtual network in my lab that I have DHCP and DNS working. I used a PFSense VM to accomplish those services.

I may look into converting the TLS certification steps into a playbook at a later date, but for now I’d recommend just going through the guide to create those.

## Provisioning a CA and Generating TLS Certificates

To keep everything organized, I created a directory for each respective cert/category. According to the github docs:

You’ll bootstrap a Certificate Authority, and generate TLS certificates for the following components: etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy.

I made a small change in the alt_names section of the openssl.cnf files. I used DNS names instead of IP. Since I decided to use DNS and not assign static IPS to the nodes

# openssl.cnf with DNS names instead of IP
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = lab-lb1
DNS.6 = smig-lab-k8-cp1
DNS.7 = smig-lab-k8-cp2
DNS.8 = smig-lab-k8-wn1
DNS.9 = smig-lab-k8-wn2

The next step is to generate the kubernetes config files for authentication. I will include a few screenshots of my environment below:

I provisioned an arch linux vdi, btw! lol

You can see the hostnames, the Xen-Orchestra GUI, and how I’m working on this task.

It’s been fun so far. Looking forward to getting more done.