You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

196 lines
7.9 KiB

  1. # Installation Guide
  2. - [Installation Guide](#installation-guide)
  3. - [Kubernetes TLS Root CA Certificate/Key Secret](#kubernetes-tls-root-ca-certificatekey-secret)
  4. - [Securing Ingress Resources](#securing-ingress-resources)
  5. - [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key)
  6. - [Install Cloudflare PKI/TLS `cfssl` Toolkit.](#install-cloudflare-pkitls-cfssl-toolkit)
  7. - [Create Root Certificate Authority (CA) Configuration File](#create-root-certificate-authority-ca-configuration-file)
  8. - [Create Certficate Signing Request (CSR) Configuration File](#create-certficate-signing-request-csr-configuration-file)
  9. - [Create TLS Root CA Certificate and Key](#create-tls-root-ca-certificate-and-key)
  10. Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
  11. ## Kubernetes TLS Root CA Certificate/Key Secret
  12. If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.
  13. For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc.
  14. `cert-manager` can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and setting `cert_manager_enabled` to true.
  15. ```ini
  16. # Cert manager deployment
  17. cert_manager_enabled: true
  18. ```
  19. If you don't have a TLS Root CA certificate and key available, you can create these by following the steps outlined in section [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key) using the Cloudflare PKI/TLS `cfssl` toolkit. TLS Root CA certificates and keys can also be created using `ssh-keygen` and OpenSSL, if `cfssl` is not available.
  20. ## Securing Ingress Resources
  21. A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
  22. To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and set `ingress_nginx_enabled` to true.
  23. ```ini
  24. # Nginx ingress controller deployment
  25. ingress_nginx_enabled: true
  26. ```
  27. For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
  28. ```yaml
  29. apiVersion: networking.k8s.io/v1
  30. kind: Ingress
  31. metadata:
  32. name: prometheus-k8s
  33. namespace: monitoring
  34. labels:
  35. prometheus: k8s
  36. annotations:
  37. kubernetes.io/ingress.class: "nginx"
  38. cert-manager.io/cluster-issuer: ca-issuer
  39. spec:
  40. tls:
  41. - hosts:
  42. - prometheus.example.com
  43. secretName: prometheus-dashboard-certs
  44. rules:
  45. - host: prometheus.example.com
  46. http:
  47. paths:
  48. - path: /
  49. pathType: ImplementationSpecific
  50. backend:
  51. service:
  52. name: prometheus-k8s
  53. port:
  54. name: web
  55. ```
  56. Once deployed to your K8s cluster, every 3 months cert-manager will automatically rotate the Prometheus `prometheus.example.com` TLS client certificate and key, and store these as the Kubernetes `prometheus-dashboard-certs` secret.
  57. Please consult the official upstream documentation:
  58. - [cert-manager Ingress Usage](https://cert-manager.io/v1.5-docs/usage/ingress/)
  59. - [cert-manager Ingress Tutorial](https://cert-manager.io/v1.5-docs/tutorials/acme/ingress/#step-3-assign-a-dns-name)
  60. ### ACME
  61. The ACME Issuer type represents a single account registered with the Automated Certificate Management Environment (ACME) Certificate Authority server. When you create a new ACME Issuer, cert-manager will generate a private key which is used to identify you with the ACME server.
  62. Certificates issued by public ACME servers are typically trusted by client’s computers by default. This means that, for example, visiting a website that is backed by an ACME certificate issued for that URL, will be trusted by default by most client’s web browsers. ACME certificates are typically free.
  63. - [ACME Configuration](https://cert-manager.io/v1.5-docs/configuration/acme/)
  64. - [ACME HTTP Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/http-validation/)
  65. - [HTTP01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/http01/)
  66. - [ACME DNS Validation](https://cert-manager.io/v1.5-docs/tutorials/acme/dns-validation/)
  67. - [DNS01 Challenges](https://cert-manager.io/v1.5-docs/configuration/acme/dns01/)
  68. - [ACME FAQ](https://cert-manager.io/v1.5-docs/faq/acme/)
  69. #### ACME With An Internal Certificate Authority
  70. The ACME Issuer with an internal certificate authority requires cert-manager to trust the certificate authority. This trust must be done at the cert-manager deployment level.
  71. To add a trusted certificate authority to cert-manager, add it's certificate to `group_vars/k8s-cluster/addons.yml`:
  72. ```yaml
  73. cert_manager_trusted_internal_ca: |
  74. -----BEGIN CERTIFICATE-----
  75. [REPLACE with your CA certificate]
  76. -----END CERTIFICATE-----
  77. ```
  78. Once the CA is trusted, you can define your issuer normally.
  79. ### Create New TLS Root CA Certificate and Key
  80. #### Install Cloudflare PKI/TLS `cfssl` Toolkit
  81. e.g. For Ubuntu/Debian distributions, the toolkit is part of the `golang-cfssl` package.
  82. ```shell
  83. sudo apt-get install -y golang-cfssl
  84. ```
  85. #### Create Root Certificate Authority (CA) Configuration File
  86. The default TLS certificate expiry time period is `8760h` which is 1 years from the date the certificate is created.
  87. ```shell
  88. $ cat > ca-config.json <<EOF
  89. {
  90. "signing": {
  91. "default": {
  92. "expiry": "8760h"
  93. },
  94. "profiles": {
  95. "kubernetes": {
  96. "usages": ["signing", "key encipherment", "server auth", "client auth"],
  97. "expiry": "8760h"
  98. }
  99. }
  100. }
  101. }
  102. EOF
  103. ```
  104. #### Create Certficate Signing Request (CSR) Configuration File
  105. The TLS certificate `names` details can be updated to your own specific requirements.
  106. ```shell
  107. $ cat > ca-csr.json <<EOF
  108. {
  109. "CN": "Kubernetes",
  110. "key": {
  111. "algo": "rsa",
  112. "size": 2048
  113. },
  114. "names": [
  115. {
  116. "C": "US",
  117. "L": "Portland",
  118. "O": "Kubernetes",
  119. "OU": "CA",
  120. "ST": "Oregon"
  121. }
  122. ]
  123. }
  124. EOF
  125. ```
  126. #### Create TLS Root CA Certificate and Key
  127. ```shell
  128. $ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
  129. ca.pem
  130. ca-key.pem
  131. ```
  132. Check the TLS Root CA certificate has the correct `Not Before` and `Not After` dates, and ensure it is indeed a valid Certificate Authority with the X509v3 extension `CA:TRUE`.
  133. ```shell
  134. $ openssl x509 -text -noout -in ca.pem
  135. Certificate:
  136. Data:
  137. Version: 3 (0x2)
  138. Serial Number:
  139. 6a:d4:d8:48:7f:98:4f:54:68:9a:e1:73:02:fa:d0:41:79:25:08:49
  140. Signature Algorithm: sha256WithRSAEncryption
  141. Issuer: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
  142. Validity
  143. Not Before: Jul 10 15:21:00 2020 GMT
  144. Not After : Jul 9 15:21:00 2025 GMT
  145. Subject: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
  146. Subject Public Key Info:
  147. ...
  148. X509v3 extensions:
  149. X509v3 Key Usage: critical
  150. Certificate Sign, CRL Sign
  151. X509v3 Basic Constraints: critical
  152. CA:TRUE
  153. X509v3 Subject Key Identifier:
  154. D4:38:B5:E2:26:49:5E:0D:E3:DC:D9:70:73:3B:C4:19:6A:43:4A:F2
  155. ...
  156. ```