Vault PKI Intermediate CAs for ALL SERVICES Kubernetes the hard way v2: различия между версиями
Материал из noname.com.ua
Перейти к навигацииПерейти к поискуSirmax (обсуждение | вклад) |
Sirmax (обсуждение | вклад) |
||
| Строка 32: | Строка 32: | ||
</PRE> |
</PRE> |
||
| + | ==Настройка СА== |
||
| − | |||
<PRE> |
<PRE> |
||
| + | #!/bin/bash |
||
| − | </PRE> |
||
| + | source ../env |
||
| + | vault \ |
||
| − | <PRE> |
||
| + | secrets \ |
||
| + | enable \ |
||
| + | -path=${PKI_PATH} \ |
||
| + | -description="PKI Intermediate CA for K8S kube-apiserver API endpoints" \ |
||
| + | -max-lease-ttl="175200h" \ |
||
| + | pki |
||
</PRE> |
</PRE> |
||
<PRE> |
<PRE> |
||
| + | #!/bin/bash |
||
| + | |||
| + | source ../env |
||
| + | |||
| + | vault \ |
||
| + | write \ |
||
| + | -format=json \ |
||
| + | ${PKI_PATH}/intermediate/generate/exported \ |
||
| + | common_name="Intermediate CA for service kube-api-server API endpoints" \ |
||
| + | country="Ukraine" \ |
||
| + | locality="Kharkov" \ |
||
| + | street_address="Lui Pastera st. 322 app. 131" \ |
||
| + | postal_code="61172" \ |
||
| + | organization="K8s The Hardest Way Labs" \ |
||
| + | ou="IT" \ |
||
| + | ttl="175200h" > ${PKI_PATH}.json |
||
| + | |||
| + | |||
| + | cat ${PKI_PATH}.json | jq -r '.data.csr' > ${PKI_PATH}_intermediate_ca.csr |
||
| + | cat ${PKI_PATH}.json | jq -r '.data.private_key' > ${PKI_PATH}_intermediate_ca.key |
||
</PRE> |
</PRE> |
||
<PRE> |
<PRE> |
||
| + | #!/bin/bash |
||
| + | |||
| + | source ../env |
||
| + | |||
| + | vault \ |
||
| + | write \ |
||
| + | -format=json \ |
||
| + | k8s_pki_root_ca/root/sign-intermediate \ |
||
| + | csr=@${PKI_PATH}_intermediate_ca.csr \ |
||
| + | country="Ukraine" \ |
||
| + | locality="Kharkov" \ |
||
| + | street_address="Lui Pastera st. 322 app. 131" \ |
||
| + | postal_code="61172" \ |
||
| + | organization="K8s The Hardest Way Labs" \ |
||
| + | ou="IT" \ |
||
| + | format=pem_bundle \ |
||
| + | ttl="175200h" > ${PKI_PATH}_intermediate_ca_pem_bundle.json |
||
| + | |||
| + | |||
| + | cat ${PKI_PATH}_intermediate_ca_pem_bundle.json | jq -r '.data.certificate' > ${PKI_PATH}_intermediate_ca_pem.crt |
||
| + | cat ${PKI_PATH}_intermediate_ca_pem_bundle.json | jq -r '.data.issuing_ca' > k8s_root_certificate.pem |
||
</PRE> |
</PRE> |
||
<PRE> |
<PRE> |
||
| + | #!/bin/bash |
||
| + | |||
| + | source ../env |
||
| + | |||
| + | openssl \ |
||
| + | verify \ |
||
| + | -verbose \ |
||
| + | -CAfile k8s_root_certificate.pem \ |
||
| + | ${PKI_PATH}_intermediate_ca_pem.crt |
||
</PRE> |
</PRE> |
||
<PRE> |
<PRE> |
||
| + | #!/bin/bash |
||
| + | |||
| + | source ../env |
||
| + | |||
| + | vault \ |
||
| + | write \ |
||
| + | ${PKI_PATH}/intermediate/set-signed \ |
||
| + | certificate=@${PKI_PATH}_intermediate_ca_pem.crt \ |
||
| + | key=@${PKI_PATH}_intermediate_ca.key |
||
| + | </PRE> |
||
| + | ==Права, пользователи, роли== |
||
| + | Далее назначить права на пользователей для каждого экземпляра сервера |
||
| + | <PRE> |
||
| + | #!/bin/bash |
||
| + | |||
| + | source ../env |
||
| + | |||
| + | N='kube-apiserver' |
||
| + | for AZ in $(seq 1 3); |
||
| + | do |
||
| + | DOMAIN="${N}.az${AZ}.k8s.cluster.home" |
||
| + | BALANCER_DOMAIN="${N}.k8s.cluster.home" |
||
| + | NAME_SERVER="${DOMAIN}-server" |
||
| + | NAME_CLIENT="${DOMAIN}-client" |
||
| + | |||
| + | |||
| + | vault \ |
||
| + | write \ |
||
| + | ${PKI_PATH}/roles/${NAME_SERVER}-role \ |
||
| + | country="Ukraine" \ |
||
| + | locality="Kharkov" \ |
||
| + | street_address="Lui Pastera st 322 app. 311"\ |
||
| + | postal_code="61172" \ |
||
| + | organization="Home Network" \ |
||
| + | ou="IT" \ |
||
| + | allowed_domains="${DOMAIN},${BALANCER_DOMAIN}" \ |
||
| + | allow_subdomains=false \ |
||
| + | max_ttl="87600h" \ |
||
| + | key_bits="2048" \ |
||
| + | key_type="rsa" \ |
||
| + | allow_any_name=false \ |
||
| + | allow_bare_domains=true \ |
||
| + | allow_glob_domain=false \ |
||
| + | allow_ip_sans=true \ |
||
| + | allow_localhost=false \ |
||
| + | client_flag=true \ |
||
| + | server_flag=true \ |
||
| + | enforce_hostnames=true \ |
||
| + | key_usage="DigitalSignature,KeyEncipherment" \ |
||
| + | ext_key_usage="ServerAuth" \ |
||
| + | require_cn=true |
||
| + | |||
| + | vault \ |
||
| + | write \ |
||
| + | ${PKI_PATH}/roles/${NAME_CLIENT}-role \ |
||
| + | country="Ukraine" \ |
||
| + | locality="Kharkov" \ |
||
| + | street_address="Lui Pastera st 322 app. 311"\ |
||
| + | postal_code="61172" \ |
||
| + | organization="Home Network" \ |
||
| + | ou="IT" \ |
||
| + | allow_subdomains=false \ |
||
| + | max_ttl="87600h" \ |
||
| + | key_bits="2048" \ |
||
| + | key_type="rsa" \ |
||
| + | allow_any_name=true \ |
||
| + | allow_bare_domains=true \ |
||
| + | allow_glob_domain=false \ |
||
| + | allow_ip_sans=true \ |
||
| + | allow_localhost=false \ |
||
| + | client_flag=true \ |
||
| + | server_flag=false \ |
||
| + | enforce_hostnames=true \ |
||
| + | key_usage="DigitalSignature,KeyEncipherment" \ |
||
| + | ext_key_usage="ClientAuth" \ |
||
| + | require_cn=true |
||
| + | done |
||
</PRE> |
</PRE> |
||
<PRE> |
<PRE> |
||
| + | #!/bin/bash |
||
| + | |||
| + | source ../env |
||
| + | |||
| + | N='kube-apiserver' |
||
| + | for AZ in $(seq 1 3); |
||
| + | do |
||
| + | DOMAIN="${N}.az${AZ}.k8s.cluster.home" |
||
| + | NAME_SERVER="${DOMAIN}-server" |
||
| + | NAME_CLIENT="${DOMAIN}-client" |
||
| + | |||
| + | cat << EOF > ${NAME_SERVER}-policy.hlc |
||
| + | path "${PKI_PATH}/issue/${NAME_SERVER}-role" |
||
| + | { |
||
| + | capabilities = ["read", "create", "list", "update"] |
||
| + | } |
||
| + | EOF |
||
| + | |||
| + | vault \ |
||
| + | policy \ |
||
| + | write \ |
||
| + | ${NAME_SERVER}-policy \ |
||
| + | ${NAME_SERVER}-policy.hlc |
||
| + | vault \ |
||
| + | write \ |
||
| + | auth/userpass/users/${NAME_SERVER}-user \ |
||
| + | password=${NAME_SERVER}-password \ |
||
| + | policies=" ${NAME_SERVER}-policy,default" |
||
| + | |||
| + | |||
| + | |||
| + | cat << EOF > ${NAME_CLIENT}-policy.hlc |
||
| + | path "${PKI_NAME}/issue/${NAME_CLIENT}-role" |
||
| + | { |
||
| + | capabilities = ["read", "create", "list", "update"] |
||
| + | } |
||
| + | EOF |
||
| + | |||
| + | vault \ |
||
| + | policy \ |
||
| + | write \ |
||
| + | ${NAME_CLIENT}-policy \ |
||
| + | ${NAME_CLIENT}-policy.hlc |
||
| + | vault \ |
||
| + | write \ |
||
| + | auth/userpass/users/${NAME_CLIENT}-user \ |
||
| + | password=${NAME_CLIENT}-password \ |
||
| + | policies=" ${NAME_CLIENT}-policy,default" |
||
| + | |||
| + | |||
| + | done |
||
</PRE> |
</PRE> |
||
<PRE> |
<PRE> |
||
| + | #!/bin/bash |
||
| + | |||
| + | source ../env |
||
| + | |||
| + | echo "---------ROLES---------------------" |
||
| + | vault \ |
||
| + | list \ |
||
| + | ${PKI_PATH}/roles |
||
| + | echo "---------USERS---------------------" |
||
| + | vault \ |
||
| + | list \ |
||
| + | auth/userpass/users |
||
| + | echo "------------------------------" |
||
| + | |||
| + | |||
| + | for AZ in $(seq 1 3); |
||
| + | do |
||
| + | echo "------ AZ ${AZ} -----" |
||
| + | DOMAIN="${N}.az${AZ}.k8s.cluster.home" |
||
| + | NAME_SERVER="${DOMAIN}-server" |
||
| + | NAME_CLIENT="${DOMAIN}-client" |
||
| + | |||
| + | vault \ |
||
| + | policy \ |
||
| + | read \ |
||
| + | ${NAME_SERVER}-policy |
||
| + | |||
| + | vault \ |
||
| + | policy \ |
||
| + | read \ |
||
| + | ${NAME_CLIENT}-policy |
||
| + | |||
| + | vault \ |
||
| + | read \ |
||
| + | auth/userpass/users/${NAME_SERVER}-user |
||
| + | vault \ |
||
| + | read \ |
||
| + | auth/userpass/users/${NAME_SERVER}-user |
||
| + | |||
| + | done |
||
</PRE> |
</PRE> |
||
| + | |||
| + | |||
<PRE> |
<PRE> |
||
Версия 16:16, 26 октября 2022
Создание СА для работы кластера K8s - Kube-Apiserver
Эта страница - часть большой статьи про CA используемые в k8s: Vault_PKI_Kubernetes_the_hard_way_v2
Задача - настроить промежуточный СА для работы сервиса kube-apiserver
Это в целом более-менее аналогичная конфигурация CA для ETCd
У kube-apiserver множество параметров связанных с шифрованием и сертификатами и в моей конфигурации используются РАЗНЫЕ СА везде где это возможно (хотя это не обязательно)
СА для TLS
Отдельный СА (промежуточный СА!)
Переменные вынесены в отдельный файл
env
export VAULT_ADDR=http://127.0.0.1:8200 export VAULT_TOKEN="s.Yb1J2VamFyYoav3VVE2YQQ88" export PKI_PATH="k8s_pki_intermediate_ca_for_service_kube_apiserver_tls" export N='kube-apiserver'
Настройка СА
#!/bin/bash
source ../env
vault \
secrets \
enable \
-path=${PKI_PATH} \
-description="PKI Intermediate CA for K8S kube-apiserver API endpoints" \
-max-lease-ttl="175200h" \
pki
#!/bin/bash
source ../env
vault \
write \
-format=json \
${PKI_PATH}/intermediate/generate/exported \
common_name="Intermediate CA for service kube-api-server API endpoints" \
country="Ukraine" \
locality="Kharkov" \
street_address="Lui Pastera st. 322 app. 131" \
postal_code="61172" \
organization="K8s The Hardest Way Labs" \
ou="IT" \
ttl="175200h" > ${PKI_PATH}.json
cat ${PKI_PATH}.json | jq -r '.data.csr' > ${PKI_PATH}_intermediate_ca.csr
cat ${PKI_PATH}.json | jq -r '.data.private_key' > ${PKI_PATH}_intermediate_ca.key
#!/bin/bash
source ../env
vault \
write \
-format=json \
k8s_pki_root_ca/root/sign-intermediate \
csr=@${PKI_PATH}_intermediate_ca.csr \
country="Ukraine" \
locality="Kharkov" \
street_address="Lui Pastera st. 322 app. 131" \
postal_code="61172" \
organization="K8s The Hardest Way Labs" \
ou="IT" \
format=pem_bundle \
ttl="175200h" > ${PKI_PATH}_intermediate_ca_pem_bundle.json
cat ${PKI_PATH}_intermediate_ca_pem_bundle.json | jq -r '.data.certificate' > ${PKI_PATH}_intermediate_ca_pem.crt
cat ${PKI_PATH}_intermediate_ca_pem_bundle.json | jq -r '.data.issuing_ca' > k8s_root_certificate.pem
#!/bin/bash
source ../env
openssl \
verify \
-verbose \
-CAfile k8s_root_certificate.pem \
${PKI_PATH}_intermediate_ca_pem.crt
#!/bin/bash
source ../env
vault \
write \
${PKI_PATH}/intermediate/set-signed \
certificate=@${PKI_PATH}_intermediate_ca_pem.crt \
key=@${PKI_PATH}_intermediate_ca.key
Права, пользователи, роли
Далее назначить права на пользователей для каждого экземпляра сервера
#!/bin/bash
source ../env
N='kube-apiserver'
for AZ in $(seq 1 3);
do
DOMAIN="${N}.az${AZ}.k8s.cluster.home"
BALANCER_DOMAIN="${N}.k8s.cluster.home"
NAME_SERVER="${DOMAIN}-server"
NAME_CLIENT="${DOMAIN}-client"
vault \
write \
${PKI_PATH}/roles/${NAME_SERVER}-role \
country="Ukraine" \
locality="Kharkov" \
street_address="Lui Pastera st 322 app. 311"\
postal_code="61172" \
organization="Home Network" \
ou="IT" \
allowed_domains="${DOMAIN},${BALANCER_DOMAIN}" \
allow_subdomains=false \
max_ttl="87600h" \
key_bits="2048" \
key_type="rsa" \
allow_any_name=false \
allow_bare_domains=true \
allow_glob_domain=false \
allow_ip_sans=true \
allow_localhost=false \
client_flag=true \
server_flag=true \
enforce_hostnames=true \
key_usage="DigitalSignature,KeyEncipherment" \
ext_key_usage="ServerAuth" \
require_cn=true
vault \
write \
${PKI_PATH}/roles/${NAME_CLIENT}-role \
country="Ukraine" \
locality="Kharkov" \
street_address="Lui Pastera st 322 app. 311"\
postal_code="61172" \
organization="Home Network" \
ou="IT" \
allow_subdomains=false \
max_ttl="87600h" \
key_bits="2048" \
key_type="rsa" \
allow_any_name=true \
allow_bare_domains=true \
allow_glob_domain=false \
allow_ip_sans=true \
allow_localhost=false \
client_flag=true \
server_flag=false \
enforce_hostnames=true \
key_usage="DigitalSignature,KeyEncipherment" \
ext_key_usage="ClientAuth" \
require_cn=true
done
#!/bin/bash
source ../env
N='kube-apiserver'
for AZ in $(seq 1 3);
do
DOMAIN="${N}.az${AZ}.k8s.cluster.home"
NAME_SERVER="${DOMAIN}-server"
NAME_CLIENT="${DOMAIN}-client"
cat << EOF > ${NAME_SERVER}-policy.hlc
path "${PKI_PATH}/issue/${NAME_SERVER}-role"
{
capabilities = ["read", "create", "list", "update"]
}
EOF
vault \
policy \
write \
${NAME_SERVER}-policy \
${NAME_SERVER}-policy.hlc
vault \
write \
auth/userpass/users/${NAME_SERVER}-user \
password=${NAME_SERVER}-password \
policies=" ${NAME_SERVER}-policy,default"
cat << EOF > ${NAME_CLIENT}-policy.hlc
path "${PKI_NAME}/issue/${NAME_CLIENT}-role"
{
capabilities = ["read", "create", "list", "update"]
}
EOF
vault \
policy \
write \
${NAME_CLIENT}-policy \
${NAME_CLIENT}-policy.hlc
vault \
write \
auth/userpass/users/${NAME_CLIENT}-user \
password=${NAME_CLIENT}-password \
policies=" ${NAME_CLIENT}-policy,default"
done
#!/bin/bash
source ../env
echo "---------ROLES---------------------"
vault \
list \
${PKI_PATH}/roles
echo "---------USERS---------------------"
vault \
list \
auth/userpass/users
echo "------------------------------"
for AZ in $(seq 1 3);
do
echo "------ AZ ${AZ} -----"
DOMAIN="${N}.az${AZ}.k8s.cluster.home"
NAME_SERVER="${DOMAIN}-server"
NAME_CLIENT="${DOMAIN}-client"
vault \
policy \
read \
${NAME_SERVER}-policy
vault \
policy \
read \
${NAME_CLIENT}-policy
vault \
read \
auth/userpass/users/${NAME_SERVER}-user
vault \
read \
auth/userpass/users/${NAME_SERVER}-user
done
