Vault PKI Intermediate ca etcd Roles and permissions for real cluster Kubernetes the hard way v2: различия между версиями
Sirmax (обсуждение | вклад) |
Sirmax (обсуждение | вклад) м (Sirmax переименовал страницу Vault PKI Intermediate ca etcd Roles and permissions for real cliuster Kubernetes the hard way v2 в Vault PKI Intermediate ca etcd Roles and permissions for real cluster Kubernetes the hard way v2: Vault_PKI_Intermediate_ca_etcd_Roles_and_permissions_for_real_cluster_Kubernetes_the_hard_way_v2) |
||
(не показано 59 промежуточных версий этого же участника) | |||
Строка 36: | Строка 36: | ||
<PRE> |
<PRE> |
||
− | #!/bin/bash |
||
− | |||
− | source ./00_env |
||
− | |||
− | |||
− | for AZ in $(seq 1 3); |
||
− | do |
||
#!/bin/bash |
#!/bin/bash |
||
Строка 56: | Строка 49: | ||
vault \ |
vault \ |
||
write \ |
write \ |
||
− | ${PKI_NAME}/roles/${NAME}- |
+ | ${PKI_NAME}/roles/${NAME}-role \ |
country="Ukraine" \ |
country="Ukraine" \ |
||
locality="Kharkov" \ |
locality="Kharkov" \ |
||
Строка 63: | Строка 56: | ||
organization="Home Network" \ |
organization="Home Network" \ |
||
ou="IT" \ |
ou="IT" \ |
||
− | allowed_domains=" |
+ | allowed_domains="${DOMAIN}" \ |
allow_subdomains=false \ |
allow_subdomains=false \ |
||
max_ttl="87600h" \ |
max_ttl="87600h" \ |
||
Строка 69: | Строка 62: | ||
key_type="rsa" \ |
key_type="rsa" \ |
||
allow_any_name=false \ |
allow_any_name=false \ |
||
− | allow_bare_domains= |
+ | allow_bare_domains=true \ |
allow_glob_domain=false \ |
allow_glob_domain=false \ |
||
allow_ip_sans=true \ |
allow_ip_sans=true \ |
||
Строка 80: | Строка 73: | ||
require_cn=true |
require_cn=true |
||
done |
done |
||
+ | |||
</PRE> |
</PRE> |
||
<PRE> |
<PRE> |
||
− | Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master.az1.k8s.cluster.home-client-and-server- |
+ | Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master.az1.k8s.cluster.home-client-and-server-role |
− | Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master.az2.k8s.cluster.home-client-and-server- |
+ | Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master.az2.k8s.cluster.home-client-and-server-role |
− | Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master.az3.k8s.cluster.home-client-and-server- |
+ | Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master.az3.k8s.cluster.home-client-and-server-role |
</PRE> |
</PRE> |
||
Строка 92: | Строка 86: | ||
source ./00_env |
source ./00_env |
||
+ | |||
for AZ in $(seq 1 3); |
for AZ in $(seq 1 3); |
||
do |
do |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
+ | NAME="${DOMAIN}-client-and-server" |
||
− | NAME="etcd.master-az${AZ}-k8s-cluster-home-client-and-server" |
||
cat << EOF > ${NAME}-policy.hlc |
cat << EOF > ${NAME}-policy.hlc |
||
− | path "${PKI_NAME}/ |
+ | path "${PKI_NAME}/issue/${NAME}-role" |
{ |
{ |
||
capabilities = ["read", "create", "list", "update"] |
capabilities = ["read", "create", "list", "update"] |
||
Строка 115: | Строка 111: | ||
policies=" ${NAME}-policy,default" |
policies=" ${NAME}-policy,default" |
||
done |
done |
||
+ | |||
</PRE> |
</PRE> |
||
+ | |||
<PRE> |
<PRE> |
||
− | Success! Uploaded policy: etcd.master |
+ | Success! Uploaded policy: etcd.master.az1.k8s.cluster.home-client-and-server-policy |
− | Success! Data written to: auth/userpass/users/etcd.master |
+ | Success! Data written to: auth/userpass/users/etcd.master.az1.k8s.cluster.home-client-and-server-user |
− | Success! Uploaded policy: etcd.master |
+ | Success! Uploaded policy: etcd.master.az2.k8s.cluster.home-client-and-server-policy |
− | Success! Data written to: auth/userpass/users/etcd.master |
+ | Success! Data written to: auth/userpass/users/etcd.master.az2.k8s.cluster.home-client-and-server-user |
− | Success! Uploaded policy: etcd.master |
+ | Success! Uploaded policy: etcd.master.az3.k8s.cluster.home-client-and-server-policy |
− | Success! Data written to: auth/userpass/users/etcd.master |
+ | Success! Data written to: auth/userpass/users/etcd.master.az3.k8s.cluster.home-client-and-server-user |
</PRE> |
</PRE> |
||
+ | |||
==Просмотр созданных политик== |
==Просмотр созданных политик== |
||
<PRE> |
<PRE> |
||
+ | |||
#!/bin/bash |
#!/bin/bash |
||
source ./00_env |
source ./00_env |
||
− | echo "------------------------------" |
+ | echo "---------ROLES---------------------" |
vault \ |
vault \ |
||
list \ |
list \ |
||
${PKI_NAME}/roles |
${PKI_NAME}/roles |
||
− | echo "------------------------------" |
+ | echo "---------USERS---------------------" |
vault \ |
vault \ |
||
list \ |
list \ |
||
Строка 142: | Строка 142: | ||
for AZ in $(seq 1 3); |
for AZ in $(seq 1 3); |
||
do |
do |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
− | |||
− | NAME=" |
+ | NAME="${DOMAIN}-client-and-server" |
vault \ |
vault \ |
||
policy \ |
policy \ |
||
Строка 158: | Строка 158: | ||
{{#spoiler:show=Результат (много текста)| |
{{#spoiler:show=Результат (много текста)| |
||
<PRE> |
<PRE> |
||
+ | |||
− | ------------------------------ |
||
+ | ---------ROLES--------------------- |
||
Keys |
Keys |
||
---- |
---- |
||
− | etcd.master |
+ | etcd.master.az1.k8s.cluster.home-client-and-server-role |
− | etcd.master |
+ | etcd.master.az2.k8s.cluster.home-client-and-server-role |
− | etcd.master |
+ | etcd.master.az3.k8s.cluster.home-client-and-server-role |
example-dot-home-client-crt |
example-dot-home-client-crt |
||
example-dot-home-server-crt |
example-dot-home-server-crt |
||
− | ------------------------------ |
+ | ---------USERS--------------------- |
Keys |
Keys |
||
---- |
---- |
||
− | etcd.master |
+ | etcd.master.az1.k8s.cluster.home-client-and-server-user |
− | etcd.master |
+ | etcd.master.az2.k8s.cluster.home-client-and-server-user |
− | etcd.master |
+ | etcd.master.az3.k8s.cluster.home-client-and-server-user |
example-dot-home-any-crt-user |
example-dot-home-any-crt-user |
||
example-dot-home-client-crt-user |
example-dot-home-client-crt-user |
||
Строка 177: | Строка 178: | ||
vault-dot-home-server-crt-user |
vault-dot-home-server-crt-user |
||
------------------------------ |
------------------------------ |
||
− | path "k8s_pki_intermediate_ca_for_service_etcd/ |
+ | path "k8s_pki_intermediate_ca_for_service_etcd/issue/etcd.master.az1.k8s.cluster.home-client-and-server-role" |
{ |
{ |
||
capabilities = ["read", "create", "list", "update"] |
capabilities = ["read", "create", "list", "update"] |
||
Строка 183: | Строка 184: | ||
Key Value |
Key Value |
||
--- ----- |
--- ----- |
||
− | policies [default etcd.master |
+ | policies [default etcd.master.az1.k8s.cluster.home-client-and-server-policy] |
token_bound_cidrs [] |
token_bound_cidrs [] |
||
token_explicit_max_ttl 0s |
token_explicit_max_ttl 0s |
||
Строка 190: | Строка 191: | ||
token_num_uses 0 |
token_num_uses 0 |
||
token_period 0s |
token_period 0s |
||
− | token_policies [default etcd.master |
+ | token_policies [default etcd.master.az1.k8s.cluster.home-client-and-server-policy] |
token_ttl 0s |
token_ttl 0s |
||
token_type default |
token_type default |
||
− | path "k8s_pki_intermediate_ca_for_service_etcd/ |
+ | path "k8s_pki_intermediate_ca_for_service_etcd/issue/etcd.master.az2.k8s.cluster.home-client-and-server-role" |
{ |
{ |
||
capabilities = ["read", "create", "list", "update"] |
capabilities = ["read", "create", "list", "update"] |
||
Строка 199: | Строка 200: | ||
Key Value |
Key Value |
||
--- ----- |
--- ----- |
||
− | policies [default etcd.master |
+ | policies [default etcd.master.az2.k8s.cluster.home-client-and-server-policy] |
token_bound_cidrs [] |
token_bound_cidrs [] |
||
token_explicit_max_ttl 0s |
token_explicit_max_ttl 0s |
||
Строка 206: | Строка 207: | ||
token_num_uses 0 |
token_num_uses 0 |
||
token_period 0s |
token_period 0s |
||
− | token_policies [default etcd.master |
+ | token_policies [default etcd.master.az2.k8s.cluster.home-client-and-server-policy] |
token_ttl 0s |
token_ttl 0s |
||
token_type default |
token_type default |
||
− | path "k8s_pki_intermediate_ca_for_service_etcd/ |
+ | path "k8s_pki_intermediate_ca_for_service_etcd/issue/etcd.master.az3.k8s.cluster.home-client-and-server-role" |
{ |
{ |
||
capabilities = ["read", "create", "list", "update"] |
capabilities = ["read", "create", "list", "update"] |
||
Строка 215: | Строка 216: | ||
Key Value |
Key Value |
||
--- ----- |
--- ----- |
||
− | policies [default etcd.master |
+ | policies [default etcd.master.az3.k8s.cluster.home-client-and-server-policy] |
token_bound_cidrs [] |
token_bound_cidrs [] |
||
token_explicit_max_ttl 0s |
token_explicit_max_ttl 0s |
||
Строка 222: | Строка 223: | ||
token_num_uses 0 |
token_num_uses 0 |
||
token_period 0s |
token_period 0s |
||
− | token_policies [default etcd.master |
+ | token_policies [default etcd.master.az3.k8s.cluster.home-client-and-server-policy] |
token_ttl 0s |
token_ttl 0s |
||
token_type default |
token_type default |
||
+ | |||
</PRE> |
</PRE> |
||
}} |
}} |
||
+ | =Получение серверного сертификата (для соединения с между серверами, peer-to-peer)= |
||
− | =Получения сертефикатов= |
||
* Получать непосредственно на нодах |
* Получать непосредственно на нодах |
||
+ | * на нодах меняются домены, роли и пользователи |
||
− | =Получение серверного сертефиката= |
||
+ | |||
+ | Запускать на всех трех нодах, путь <code>/etc/etcd/certs/server</code> один и тот же, <br> |
||
+ | сразу делать бандл из сертификата и промежуточного СА |
||
+ | |||
+ | <br> |
||
+ | Стараемся делать путь и имена файлов одинаковыми что-бы конфиги отличались минимально |
||
+ | |||
<PRE> |
<PRE> |
||
+ | #!/bin/bash |
||
+ | |||
+ | PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd" |
||
+ | CERTS_PATH="/etc/etcd/certs/server" |
||
+ | mkdir -p ${CERTS_PATH} |
||
+ | |||
+ | AZ=1 |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
+ | NAME="${DOMAIN}-client-and-server" |
||
+ | |||
vault \ |
vault \ |
||
login \ |
login \ |
||
-method=userpass \ |
-method=userpass \ |
||
− | username= |
+ | username="${NAME}-user" \ |
− | password= |
+ | password="${NAME}-password" |
+ | |||
+ | echo "========" |
||
+ | vault \ |
||
+ | write \ |
||
+ | -format=json \ |
||
+ | ${PKI_NAME}/issue/${NAME}-role \ |
||
+ | common_name="${DOMAIN}" \ |
||
+ | ttl="43800h" \ |
||
+ | > ${CERTS_PATH}/${DOMAIN}.crt.json |
||
+ | |||
+ | cat \ |
||
+ | ${CERTS_PATH}/${DOMAIN}.crt.json \ |
||
+ | | jq -r '.data.private_key' > ${CERTS_PATH}/${DOMAIN}.key |
||
+ | |||
+ | cat \ |
||
+ | ${CERTS_PATH}/${DOMAIN}.crt.json \ |
||
+ | | jq -r '.data.certificate' > ${CERTS_PATH}/${DOMAIN}.pem |
||
+ | |||
+ | cat \ |
||
+ | ${CERTS_PATH}/${DOMAIN}.crt.json \ |
||
+ | | jq -r '.data.ca_chain[]' >> ${CERTS_PATH}/${DOMAIN}.pem |
||
+ | |||
+ | ln -sf ${CERTS_PATH}/${DOMAIN}.key ${CERTS_PATH}/etcd-server-key.pem |
||
+ | ln -sf ${CERTS_PATH}/${DOMAIN}.pem ${CERTS_PATH}/etcd-server-crt.pem |
||
</PRE> |
</PRE> |
||
+ | |||
<PRE> |
<PRE> |
||
Key Value |
Key Value |
||
--- ----- |
--- ----- |
||
− | token s. |
+ | token s.7DfyaDzZZOb9fkV4NU8xR0Gw |
− | token_accessor |
+ | token_accessor cChs7RffaXPyrtLVmV9VGW8b |
token_duration 768h |
token_duration 768h |
||
token_renewable true |
token_renewable true |
||
− | token_policies ["default" " |
+ | token_policies ["default" "etcd.master.az1.k8s.cluster.home-client-and-server-policy"] |
identity_policies [] |
identity_policies [] |
||
− | policies ["default" " |
+ | policies ["default" "etcd.master.az1.k8s.cluster.home-client-and-server-policy"] |
− | token_meta_username |
+ | token_meta_username etcd.master.az1.k8s.cluster.home-client-and-server-user |
+ | ======== |
||
</PRE> |
</PRE> |
||
+ | |||
− | ===Получение сертефиката=== |
||
+ | =Вернуться к настройке <code>ETCd</code>= |
||
− | * Получаем сертификат для тестового домена - '''vault.example.home''' и Alt Name '''pki.example.home''' |
||
+ | В этом месте уже есть все сертификаты для того что бы запустить <code>etcd</code> с peer-to-peer SSL<BR> |
||
+ | Можно вернуться от выписывания сертификатов к [[Kubernetes_the_hard_way_etcd_setup#Peer-to-Peer_SSL|настройке ETCd]] |
||
+ | |||
+ | =Роли и пользователи для client-server сертификатов= |
||
+ | |||
+ | |||
+ | * Для сертефиката который будет "клиентский-серверный": |
||
+ | ==Роли для клиент-серверного SSL== |
||
<PRE> |
<PRE> |
||
+ | #!/bin/bash |
||
− | vault \ |
||
+ | |||
− | write \ |
||
+ | source ./00_env |
||
− | -format=json \ |
||
+ | |||
− | ${PKI_NAME}/issue/example-dot-home-server-crt \ |
||
+ | |||
− | common_name="vault.example.home" \ |
||
+ | for AZ in $(seq 1 3); |
||
− | alt_names="pki.example.home" \ |
||
+ | do |
||
− | ttl="43800h" > vault.example.home.crt |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
+ | NAME="${DOMAIN}-server" |
||
+ | |||
+ | |||
+ | vault \ |
||
+ | write \ |
||
+ | ${PKI_NAME}/roles/${NAME}-role \ |
||
+ | country="Ukraine" \ |
||
+ | locality="Kharkov" \ |
||
+ | street_address="Lui Pastera st 322 app. 311"\ |
||
+ | postal_code="61172" \ |
||
+ | organization="Home Network" \ |
||
+ | ou="IT" \ |
||
+ | allowed_domains="${DOMAIN},etcd.k8s.cluster.home" \ |
||
+ | allow_subdomains=false \ |
||
+ | max_ttl="87600h" \ |
||
+ | key_bits="2048" \ |
||
+ | key_type="rsa" \ |
||
+ | allow_any_name=false \ |
||
+ | allow_bare_domains=true \ |
||
+ | allow_glob_domain=false \ |
||
+ | allow_ip_sans=true \ |
||
+ | allow_localhost=false \ |
||
+ | client_flag=true \ |
||
+ | server_flag=true \ |
||
+ | enforce_hostnames=true \ |
||
+ | key_usage="DigitalSignature,KeyEncipherment" \ |
||
+ | ext_key_usage="ServerAuth" \ |
||
+ | require_cn=true |
||
+ | done |
||
</PRE> |
</PRE> |
||
+ | <big>'''ВНЕЗАПНО'''</big> оказалось что с новой версией etcd пришлось |
||
+ | * client_flag=true |
||
+ | * server_flag=true |
||
+ | * ext_key_usage="ServerAuth" |
||
+ | У меня нет пояснения почему так - в прошлых версиях <code>client_flag=true</code> не требовался а сейчас возникает ошибка<br> |
||
+ | <code> |
||
− | ===Проверка полученного сертефиката=== |
||
+ | WARNING: 2022/10/12 16:21:53 grpc: addrConn.createTransport failed to connect to {10.0.11.1:2379 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate". Reconnecting... |
||
− | Результат в файле: |
||
− | < |
+ | </code> |
+ | |||
− | cat vault.example.home.crt |
||
+ | ==Создание политики, пользователя и привязка политики к пользователю== |
||
− | </PRE> |
||
− | Сокращенный вывод: |
||
<PRE> |
<PRE> |
||
+ | #!/bin/bash |
||
+ | |||
+ | source ./00_env |
||
+ | |||
+ | |||
+ | for AZ in $(seq 1 3); |
||
+ | do |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
+ | NAME="${DOMAIN}-server" |
||
+ | |||
+ | cat << EOF > ${NAME}-policy.hlc |
||
+ | path "${PKI_NAME}/issue/${NAME}-role" |
||
{ |
{ |
||
+ | capabilities = ["read", "create", "list", "update"] |
||
− | "request_id": "d2ff6e16-1bf6-730a-f4d1-2aefa2fcbb3e", |
||
− | "lease_id": "", |
||
− | "lease_duration": 0, |
||
− | "renewable": false, |
||
− | "data": { |
||
− | "ca_chain": [ |
||
− | "-----BEGIN CERTIFICATE-----rCdewvVGkgifREEGI2GltrDrH6rMugtVjuNAWzW40pVLKl/+0/Jv87wAv\nfITqQgiqa0FjitvfYQO2qIxSCJkt+kD3Vg==\n-----END CERTIFICATE-----" |
||
− | ], |
||
− | "certificate": "-----BEGIN CERTIFICATE-----m35waa9ld+hkNIcf/1qR4Gvwae9w0\n-----END CERTIFICATE-----", |
||
− | "expiration": 1822736540, |
||
− | "issuing_ca": "-----BEGIN CERTIFICATE-----rCdewvVGkgifREEGI2GltrDrH6rMugtVjuNAWzW40pVLKl/+0/Jv87wAv\nfITqQgiqa0FjitvfYQO2qIxSCJkt+kD3Vg==\n-----END CERTIFICATE-----", |
||
− | "private_key": "-----BEGIN RSA PRIVATE KEY-----vNhpK6RKn2b4EExuuZTRAcPEV3ddhOOoZpyy48WVEF5Iq3s+7/NZOq66poZUz17z\nwhRJIuic/EzYBnmKy0T4wdCyhkqLVGHIvH+412cJ5eqyHeMQbzG+oA==\n-----END RSA PRIVATE KEY-----", |
||
− | "private_key_type": "rsa", |
||
− | "serial_number": "28:ac:20:32:fe:46:b2:78:61:11:f0:46:da:e7:d2:cf:02:fc:4f:f1" |
||
− | }, |
||
− | "warnings": null |
||
} |
} |
||
+ | EOF |
||
+ | |||
+ | vault \ |
||
+ | policy \ |
||
+ | write \ |
||
+ | ${NAME}-policy \ |
||
+ | ${NAME}-policy.hlc |
||
+ | vault \ |
||
+ | write \ |
||
+ | auth/userpass/users/${NAME}-user \ |
||
+ | password=${NAME}-password \ |
||
+ | policies=" ${NAME}-policy,default" |
||
+ | done |
||
</PRE> |
</PRE> |
||
+ | ==Просмотр созданных политик== |
||
− | {{#spoiler:show=Полный вывод результатов| |
||
<PRE> |
<PRE> |
||
− | { |
||
− | "request_id": "d2ff6e16-1bf6-730a-f4d1-2aefa2fcbb3e", |
||
− | "lease_id": "", |
||
− | "lease_duration": 0, |
||
− | "renewable": false, |
||
− | "data": { |
||
− | "ca_chain": [ |
||
− | "-----BEGIN CERTIFICATE-----\nMIIE9TCCA92gAwIBAgIUNQ7Ve4VVV9OZ7Sw1x9vTmaybowEwDQYJKoZIhvcNAQEL\nBQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1\nBgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmsgdjIwHhcNMjIxMDAzMTU1MzA1WhcNNDIwOTI4MTU1MzM1WjCBtjEQMA4GA1UE\nBhMHVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3Rl\ncmEgc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxITAfBgNVBAoTGEs4\ncyBUaGUgSGFyZGVzdCBXYXkgTGFiczELMAkGA1UECxMCSVQxKTAnBgNVBAMTIElu\ndGVybWVkaWF0ZSBDQSBmb3Igc2VydmljZSBFVENkMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAwwQ18ClZM9ujioj2RLDf7a9iIM2zZ6yYFSKWx8cE31TF\nJs2a5HvmCSP7uavQCBefCsOf9UXLiVXEhw7lfq61h2Q5BAWYxZecftGncPKVZMXI\nxPy8b49Xu06TylZtARDsPCcEeUYPJ3G0lS70PI8iJny3UfqxgGakP19aS7Z6YFVI\nqRXfMuL+zuShVjQ9JxzgmWKgQOZuySNiZEofPFQBB9iIiNcBS/x3r1IckkyF5lyl\n4R6fhhsoTPzRYq0PMoCoO1bnftFzEYYMHH8UWLv/F1O0MVSZ6ThtgYHp20pHO+af\ndfsrEBbzFlKjk8uTmmdYStY9PF0/QqDYW2Vfcbo+VwIDAQABo4HuMIHrMA4GA1Ud\nDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRgQTF5WJCpY2LC\nJv2PArYHGh1cUDAfBgNVHSMEGDAWgBQC+IUrdfjhHGkoMDIhLYZxr6vsPDBIBggr\nBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly92YXVsdC5ob21lOjgyMDAv\ndjEvazhzX3BraV9yb290X2NhL2NhMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92\nYXVsdC5ob21lOjgyMDAvdjEvazhzX3BraV9yb290X2NhL2NybDANBgkqhkiG9w0B\nAQsFAAOCAQEAZfidbG1qFNM3Mq7B3ibzyJ/mFV+DI1pnhWdJ26CEf6WAdTh4+Zrk\nUHwClcUfnVNJZSakf1bSsbn3YINzYfFrJjllv4xvgZSC/iOhDO5k27Zlouc3EgIU\nSyt267CXl6D45Q6qkFilBZiJ/npMXrvOKxSY+SeFtI6mvXthJ5YbJvmq8AWlgfxf\nGjNGpB4p7UZzQ5x3mBS3nsugH8qjFD8BDHsCmiemFVtJw/QkECxvJqkxtY5VEffo\nJmW5CxYrCdewvVGkgifREEGI2GltrDrH6rMugtVjuNAWzW40pVLKl/+0/Jv87wAv\nfITqQgiqa0FjitvfYQO2qIxSCJkt+kD3Vg==\n-----END CERTIFICATE-----" |
||
− | ], |
||
− | "certificate": "-----BEGIN CERTIFICATE-----\nMIIFOTCCBCGgAwIBAgIUKKwgMv5GsnhhEfBG2ufSzwL8T/EwDQYJKoZIhvcNAQEL\nBQAwgbYxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxJTAjBgNV\nBAkTHEx1aSBQYXN0ZXJhIHN0LiAzMjIgYXBwLiAxMzExDjAMBgNVBBETBTYxMTcy\nMSEwHwYDVQQKExhLOHMgVGhlIEhhcmRlc3QgV2F5IExhYnMxCzAJBgNVBAsTAklU\nMSkwJwYDVQQDEyBJbnRlcm1lZGlhdGUgQ0EgZm9yIHNlcnZpY2UgRVRDZDAeFw0y\nMjEwMDYxMTQxNTRaFw0yNzEwMDUxMTQyMjBaMIGbMRAwDgYDVQQGEwdVa3JhaW5l\nMRAwDgYDVQQHEwdLaGFya292MSQwIgYDVQQJExtMdWkgUGFzdGVyYSBzdCAzMjIg\nYXBwLiAzMTExDjAMBgNVBBETBTYxMTcyMRUwEwYDVQQKEwxIb21lIE5ldHdvcmsx\nCzAJBgNVBAsTAklUMRswGQYDVQQDExJ2YXVsdC5leGFtcGxlLmhvbWUwggEiMA0G\nCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtTjglMxGwqqsaF3+O38oyzNXVN1Br\nv2UnsUDPr9BIDqI/dZgo+d3p5U6my7KfVkaMi+Q3GS9ml3DujB0DtGYanhxzX+Ew\nZPwz26nvwjajSoCZb1X7QonxANbXJhaJGS5MwvDUoGvTlzZgoB4GdI/KUzJ2Gxvy\n7xkG0wqIlyyMfRI/NBSfjKy0le8gflXgs7i8UlEKcaCqDtktoQbI8S95uuRMVONy\n/BpDnPY1kt7B5qWiZQ5wzzTLT5+eDoDQxqLBDgGCezaz9HNeikPexUtzrEXSc4yr\nLmCssE6EF7ieeDYv9Geyagx42qilJFW3TuWAErnSaClehdN6Pgbo5+YnAgMBAAGj\nggFWMIIBUjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYD\nVR0OBBYEFExMIsFEaCXQa6p/q1yOFvW3vN+vMB8GA1UdIwQYMBaAFGBBMXlYkKlj\nYsIm/Y8CtgcaHVxQMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov\nL3ZhdWx0LmhvbWU6ODIwMC92MS9rOHNfcGtpX2ludGVybWVkaWF0ZV9jYV9mb3Jf\nc2VydmljZV9ldGNkL2NhMC8GA1UdEQQoMCaCEHBraS5leGFtcGxlLmhvbWWCEnZh\ndWx0LmV4YW1wbGUuaG9tZTBXBgNVHR8EUDBOMEygSqBIhkZodHRwOi8vdmF1bHQu\naG9tZTo4MjAwL3YxL2s4c19wa2lfaW50ZXJtZWRpYXRlX2NhX2Zvcl9zZXJ2aWNl\nX2V0Y2QvY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB67vlaiNztDbH3JpfZ+pjns0Ph\nb/rkPE3f/CY2+F5zaDlq15lTGRYG7CV8s3/GH/sSYegwfPqvEEgaM7fz+PTEKL85\nQkFgZht6LVpPd6MZ8aptwaRhlW3dSIxtjtYUVfhhTV1y0YcuntTDyoQUv7Ekoq+s\nvZLlwFcZ1Sg2vP/aZ+gYzcZvId3ssXWIYMPV+4vPkeBFMIn8mfy0MmwvJ2HcEKWL\nRD9Q4ECcbdbBi8ZNeeGcbkYWe90+90ZfUaD1pA7XsOg70S65Rf1gtrqNZT2twfgu\nh6ZhLtDoLvXRO75DKgzT1x28x07PYDHm35waa9ld+hkNIcf/1qR4Gvwae9w0\n-----END CERTIFICATE-----", |
||
− | "expiration": 1822736540, |
||
− | "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIE9TCCA92gAwIBAgIUNQ7Ve4VVV9OZ7Sw1x9vTmaybowEwDQYJKoZIhvcNAQEL\nBQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1\nBgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmsgdjIwHhcNMjIxMDAzMTU1MzA1WhcNNDIwOTI4MTU1MzM1WjCBtjEQMA4GA1UE\nBhMHVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3Rl\ncmEgc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxITAfBgNVBAoTGEs4\ncyBUaGUgSGFyZGVzdCBXYXkgTGFiczELMAkGA1UECxMCSVQxKTAnBgNVBAMTIElu\ndGVybWVkaWF0ZSBDQSBmb3Igc2VydmljZSBFVENkMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAwwQ18ClZM9ujioj2RLDf7a9iIM2zZ6yYFSKWx8cE31TF\nJs2a5HvmCSP7uavQCBefCsOf9UXLiVXEhw7lfq61h2Q5BAWYxZecftGncPKVZMXI\nxPy8b49Xu06TylZtARDsPCcEeUYPJ3G0lS70PI8iJny3UfqxgGakP19aS7Z6YFVI\nqRXfMuL+zuShVjQ9JxzgmWKgQOZuySNiZEofPFQBB9iIiNcBS/x3r1IckkyF5lyl\n4R6fhhsoTPzRYq0PMoCoO1bnftFzEYYMHH8UWLv/F1O0MVSZ6ThtgYHp20pHO+af\ndfsrEBbzFlKjk8uTmmdYStY9PF0/QqDYW2Vfcbo+VwIDAQABo4HuMIHrMA4GA1Ud\nDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRgQTF5WJCpY2LC\nJv2PArYHGh1cUDAfBgNVHSMEGDAWgBQC+IUrdfjhHGkoMDIhLYZxr6vsPDBIBggr\nBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly92YXVsdC5ob21lOjgyMDAv\ndjEvazhzX3BraV9yb290X2NhL2NhMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92\nYXVsdC5ob21lOjgyMDAvdjEvazhzX3BraV9yb290X2NhL2NybDANBgkqhkiG9w0B\nAQsFAAOCAQEAZfidbG1qFNM3Mq7B3ibzyJ/mFV+DI1pnhWdJ26CEf6WAdTh4+Zrk\nUHwClcUfnVNJZSakf1bSsbn3YINzYfFrJjllv4xvgZSC/iOhDO5k27Zlouc3EgIU\nSyt267CXl6D45Q6qkFilBZiJ/npMXrvOKxSY+SeFtI6mvXthJ5YbJvmq8AWlgfxf\nGjNGpB4p7UZzQ5x3mBS3nsugH8qjFD8BDHsCmiemFVtJw/QkECxvJqkxtY5VEffo\nJmW5CxYrCdewvVGkgifREEGI2GltrDrH6rMugtVjuNAWzW40pVLKl/+0/Jv87wAv\nfITqQgiqa0FjitvfYQO2qIxSCJkt+kD3Vg==\n-----END CERTIFICATE-----", |
||
− | "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEArU44JTMRsKqrGhd/jt/KMszV1TdQa79lJ7FAz6/QSA6iP3WY\nKPnd6eVOpsuyn1ZGjIvkNxkvZpdw7owdA7RmGp4cc1/hMGT8M9up78I2o0qAmW9V\n+0KJ8QDW1yYWiRkuTMLw1KBr05c2YKAeBnSPylMydhsb8u8ZBtMKiJcsjH0SPzQU\nn4ystJXvIH5V4LO4vFJRCnGgqg7ZLaEGyPEvebrkTFTjcvwaQ5z2NZLewealomUO\ncM80y0+fng6A0MaiwQ4Bgns2s/RzXopD3sVLc6xF0nOMqy5grLBOhBe4nng2L/Rn\nsmoMeNqopSRVt07lgBK50mgpXoXTej4G6OfmJwIDAQABAoIBAGO5rvU4/eT7UJoj\nC3Pbsy6oUCPxQIXADSVaCkF4mhHc2eBKetSZc+kz2p6AeLjXnKEjnp9WDsCqRIIA\nfnGzTU3jzdtWQO7oLXhp3s/ooig0puuj9YYwM9BK+1WyxST/KHVjd9Hivilzygaw\nHJb6XAPA/DiaQOr6SxxyNI2E8E2meH35efKv4bpAnNiU1k5VVNm38XWRqdU3Pjdc\n8Rl+50YsLG06DqEsAqiXzobU9+YRitQFXErBBe1EmYkIf5sTpg8ZW552d5IdTK7V\nlJsspNxgroidSb7DiYwDA9+4JurqlAaZwVb6AgrlXyqaFCtUj7BWlObjY4aeQE2h\n8+LjbgECgYEA0QVokrbb/89gNg3mVmlJFhvsyp+rQyAe3KKvo0c35+n8Cv1HmUtn\nABLPg4xDE8ZXILonk53N5AEy1PYEKL7JwlgpXorgIbzaI4AwWh9qwn7NZDJV2zYC\nKUev8MY1UkogiKOctfP6jFkAhe2FbchVyPpPkLQxQaiuF7woyA6zyhECgYEA1EHR\npQRR05ns538WGtC5ytHWTDe0qmPOnn5gcSXyL/VGYTpfGmW+yJde1PcN+3Ukh5Wx\nediQBylnJSWVM3GLei/ETk4MG1Cs1q7fRBuqeUFL2rhBoMIWw2Y4MaBeY+tNzSWA\nXsJEwSZtWJbdlXWzveM8OmeUkS/Neg9PV8znNLcCgYAbkZ8NWtkBkJScDJFI7HIb\nXGuK/ixUmjP33e1Ul9wj1pTLzkRXT76yH8kHDMT8IrjzNBpsOfAiFpZhyGEcDq4F\n2CL8uUx+pq4O6KV3/ZTTOm5UvN7eHu2CDFaEZ2A5DlXkL9BHn3p4cHTFNWLX7AiE\njZ9Y8qtcgacUslieqnHEQQKBgQCkBCBN1WKtkloAILIiEnwe/7sKtlkC+ZDl5F39\n0QaujGfQJdzrdwfP1ThQdH/3eXO62a+EqhXRkurDR6FdWTYgOt0EbUbprJOCaSrZ\nZE981zoYTx1XbeNNJqXxoyyNJXy/M2VY0+FxJ5KDTED5hzRXXUpjDzs8XaX31fDH\ntexLTQKBgQCwhsWc0rA8tE1C4vjp5qAKsZxB7WNOLmkMxyU9Iw5tC3dHnwxUJZkA\nvNhpK6RKn2b4EExuuZTRAcPEV3ddhOOoZpyy48WVEF5Iq3s+7/NZOq66poZUz17z\nwhRJIuic/EzYBnmKy0T4wdCyhkqLVGHIvH+412cJ5eqyHeMQbzG+oA==\n-----END RSA PRIVATE KEY-----", |
||
− | "private_key_type": "rsa", |
||
− | "serial_number": "28:ac:20:32:fe:46:b2:78:61:11:f0:46:da:e7:d2:cf:02:fc:4f:f1" |
||
− | }, |
||
− | "warnings": null |
||
− | </PRE> |
||
− | }} |
||
− | Из JSON можно выделить отдельные поля |
||
− | <PRE> |
||
− | cat vault.example.home.crt | jq -r .data.ca_chain[] > vault.example.home.ca_chain.pem |
||
− | cat vault.example.home.crt | jq -r .data.certificate > vault.example.home.certificate.pem |
||
− | cat vault.example.home.crt | jq -r .data.issuing_ca > vault.example.home.issuing_ca.pem |
||
− | </PRE> |
||
+ | #!/bin/bash |
||
− | ====Сертификат сервера==== |
||
− | Наиболее интересные поля - ожидаемые значения: |
||
+ | source ./00_env |
||
− | * CN = '''vault.example.home''' |
||
− | * X509v3 Subject Alternative Name: DNS:pki.example.home, DNS:vault.example.home |
||
− | * IP адреса в AltNames не присутвуют |
||
+ | echo "---------ROLES---------------------" |
||
− | <PRE> |
||
+ | vault \ |
||
− | openssl x509 -in vault.example.home.certificate.pem -text -noout |
||
+ | list \ |
||
− | </PRE> |
||
+ | ${PKI_NAME}/roles |
||
− | <PRE> |
||
+ | echo "---------USERS---------------------" |
||
− | Certificate: |
||
+ | vault \ |
||
− | Data: |
||
+ | list \ |
||
− | Version: 3 (0x2) |
||
− | + | auth/userpass/users |
|
+ | echo "------------------------------" |
||
− | 28:ac:20:32:fe:46:b2:78:61:11:f0:46:da:e7:d2:cf:02:fc:4f:f1 |
||
− | Signature Algorithm: sha256WithRSAEncryption |
||
− | Issuer: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = K8s The Hardest Way Labs, OU = IT, CN = Intermediate CA for service ETCd |
||
− | Validity |
||
− | Not Before: Oct 6 11:41:54 2022 GMT |
||
− | Not After : Oct 5 11:42:20 2027 GMT |
||
− | Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st 322 app. 311, postalCode = 61172, O = Home Network, OU = IT, CN = vault.example.home |
||
− | Subject Public Key Info: |
||
− | Public Key Algorithm: rsaEncryption |
||
− | RSA Public-Key: (2048 bit) |
||
− | Modulus: |
||
− | 00:ad:4e:38:25:33:11:b0:aa:ab:1a:17:7f:8e:df: |
||
− | ... |
||
− | e5:80:12:b9:d2:68:29:5e:85:d3:7a:3e:06:e8:e7: |
||
− | e6:27 |
||
− | Exponent: 65537 (0x10001) |
||
− | X509v3 extensions: |
||
− | X509v3 Key Usage: critical |
||
− | Digital Signature, Key Encipherment |
||
− | X509v3 Extended Key Usage: |
||
− | TLS Web Server Authentication |
||
− | X509v3 Subject Key Identifier: |
||
− | 4C:4C:22:C1:44:68:25:D0:6B:AA:7F:AB:5C:8E:16:F5:B7:BC:DF:AF |
||
− | X509v3 Authority Key Identifier: |
||
− | keyid:60:41:31:79:58:90:A9:63:62:C2:26:FD:8F:02:B6:07:1A:1D:5C:50 |
||
+ | for AZ in $(seq 1 3); |
||
− | Authority Information Access: |
||
+ | do |
||
− | CA Issuers - URI:http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/ca |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
+ | NAME="${DOMAIN}-client-and-server" |
||
+ | vault \ |
||
+ | policy \ |
||
+ | read \ |
||
+ | ${NAME}-policy |
||
+ | vault \ |
||
− | X509v3 Subject Alternative Name: |
||
+ | read \ |
||
− | DNS:pki.example.home, DNS:vault.example.home |
||
− | + | auth/userpass/users/${NAME}-user |
|
+ | done |
||
− | Full Name: |
||
− | URI:http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/crl |
||
− | Signature Algorithm: sha256WithRSAEncryption |
||
− | 7a:ee:f9:5a:88:dc:ed:0d:b1:f7:26:97:d9:fa:98:e7:b3:43: |
||
− | ... |
||
</PRE> |
</PRE> |
||
+ | {{#spoiler:show=Результат (много текста)| |
||
− | ====Промежуточный CA==== |
||
<PRE> |
<PRE> |
||
+ | ---------ROLES--------------------- |
||
− | openssl x509 -in vault.example.home.issuing_ca.pem -text -noout |
||
+ | Keys |
||
+ | ---- |
||
+ | etcd.master.az1.k8s.cluster.home-client-and-server-role |
||
+ | etcd.master.az1.k8s.cluster.home-server-role |
||
+ | etcd.master.az2.k8s.cluster.home-client-and-server-role |
||
+ | etcd.master.az2.k8s.cluster.home-server-role |
||
+ | etcd.master.az3.k8s.cluster.home-client-and-server-role |
||
+ | etcd.master.az3.k8s.cluster.home-server-role |
||
+ | example-dot-home-client-crt |
||
+ | example-dot-home-server-crt |
||
+ | ---------USERS--------------------- |
||
+ | Keys |
||
+ | ---- |
||
+ | etcd.master.az1.k8s.cluster.home-client-and-server-user |
||
+ | etcd.master.az1.k8s.cluster.home-server-user |
||
+ | etcd.master.az2.k8s.cluster.home-client-and-server-user |
||
+ | etcd.master.az2.k8s.cluster.home-server-user |
||
+ | etcd.master.az3.k8s.cluster.home-client-and-server-user |
||
+ | etcd.master.az3.k8s.cluster.home-server-user |
||
+ | example-dot-home-any-crt-user |
||
+ | example-dot-home-client-crt-user |
||
+ | example-dot-home-server-crt-user |
||
+ | vault-dot-home-server-crt-user |
||
+ | ------------------------------ |
||
+ | path "k8s_pki_intermediate_ca_for_service_etcd/issue/etcd.master.az1.k8s.cluster.home-client-and-server-role" |
||
+ | { |
||
+ | capabilities = ["read", "create", "list", "update"] |
||
+ | } |
||
+ | Key Value |
||
+ | --- ----- |
||
+ | policies [default etcd.master.az1.k8s.cluster.home-client-and-server-policy] |
||
+ | token_bound_cidrs [] |
||
+ | token_explicit_max_ttl 0s |
||
+ | token_max_ttl 0s |
||
+ | token_no_default_policy false |
||
+ | token_num_uses 0 |
||
+ | token_period 0s |
||
+ | token_policies [default etcd.master.az1.k8s.cluster.home-client-and-server-policy] |
||
+ | token_ttl 0s |
||
+ | token_type default |
||
+ | path "k8s_pki_intermediate_ca_for_service_etcd/issue/etcd.master.az2.k8s.cluster.home-client-and-server-role" |
||
+ | { |
||
+ | capabilities = ["read", "create", "list", "update"] |
||
+ | } |
||
+ | Key Value |
||
+ | --- ----- |
||
+ | policies [default etcd.master.az2.k8s.cluster.home-client-and-server-policy] |
||
+ | token_bound_cidrs [] |
||
+ | token_explicit_max_ttl 0s |
||
+ | token_max_ttl 0s |
||
+ | token_no_default_policy false |
||
+ | token_num_uses 0 |
||
+ | token_period 0s |
||
+ | token_policies [default etcd.master.az2.k8s.cluster.home-client-and-server-policy] |
||
+ | token_ttl 0s |
||
+ | token_type default |
||
+ | path "k8s_pki_intermediate_ca_for_service_etcd/issue/etcd.master.az3.k8s.cluster.home-client-and-server-role" |
||
+ | { |
||
+ | capabilities = ["read", "create", "list", "update"] |
||
+ | } |
||
+ | Key Value |
||
+ | --- ----- |
||
+ | policies [default etcd.master.az3.k8s.cluster.home-client-and-server-policy] |
||
+ | token_bound_cidrs [] |
||
+ | token_explicit_max_ttl 0s |
||
+ | token_max_ttl 0s |
||
+ | token_no_default_policy false |
||
+ | token_num_uses 0 |
||
+ | token_period 0s |
||
+ | token_policies [default etcd.master.az3.k8s.cluster.home-client-and-server-policy] |
||
+ | token_ttl 0s |
||
+ | token_type default |
||
</PRE> |
</PRE> |
||
+ | }} |
||
− | * Видно '''CN = Intermediate CA for service ETCd''', другими словами это промежуточный сертификат удостоверяющего центра (СА) для ETCd |
||
+ | |||
+ | =Получение серверного сертификата (для client-server соединений)= |
||
+ | * Получать непосредственно на нодах |
||
+ | * на нодах меняются домены, роли и пользователи |
||
+ | |||
+ | Запускать на всех трех нодах, путь <code>/etc/etcd/certs/server-to-client"</code> один и тот же, <br> |
||
+ | сразу делать бандл из сертификата и промежуточного СА. <br> |
||
+ | |||
+ | Внимательно следить - доменные имена и IP нужно подправить для каждой ноды! (AZ=1,2,3) |
||
<PRE> |
<PRE> |
||
+ | #!/bin/bash |
||
− | Certificate: |
||
− | Data: |
||
− | Version: 3 (0x2) |
||
− | Serial Number: |
||
− | 35:0e:d5:7b:85:55:57:d3:99:ed:2c:35:c7:db:d3:99:ac:9b:a3:01 |
||
− | Signature Algorithm: sha256WithRSAEncryption |
||
− | Issuer: C = Ukraine, L = Kharkov, street = app. 131 + street = Lui Pastera St. 322, postalCode = 61172, O = Home Network, OU = IT, CN = Root Certificate Authority for Home Network v2 |
||
− | Validity |
||
− | Not Before: Oct 3 15:53:05 2022 GMT |
||
− | Not After : Sep 28 15:53:35 2042 GMT |
||
− | Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = K8s The Hardest Way Labs, OU = IT, CN = Intermediate CA for service ETCd |
||
− | Subject Public Key Info: |
||
− | Public Key Algorithm: rsaEncryption |
||
− | RSA Public-Key: (2048 bit) |
||
− | Modulus: |
||
− | 00:c3:04:35:f0:29:59:33:db:a3:8a:88:f6:44:b0: |
||
− | ... |
||
− | 58:4a:d6:3d:3c:5d:3f:42:a0:d8:5b:65:5f:71:ba: |
||
− | 3e:57 |
||
− | Exponent: 65537 (0x10001) |
||
− | X509v3 extensions: |
||
− | X509v3 Key Usage: critical |
||
− | Certificate Sign, CRL Sign |
||
− | X509v3 Basic Constraints: critical |
||
− | CA:TRUE |
||
− | X509v3 Subject Key Identifier: |
||
− | 60:41:31:79:58:90:A9:63:62:C2:26:FD:8F:02:B6:07:1A:1D:5C:50 |
||
− | X509v3 Authority Key Identifier: |
||
− | keyid:02:F8:85:2B:75:F8:E1:1C:69:28:30:32:21:2D:86:71:AF:AB:EC:3C |
||
+ | PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd" |
||
− | Authority Information Access: |
||
+ | #!/bin/bash |
||
− | CA Issuers - URI:http://vault.home:8200/v1/k8s_pki_root_ca/ca |
||
+ | PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd" |
||
− | X509v3 CRL Distribution Points: |
||
+ | CERTS_PATH="/etc/etcd/certs/server-to-client" |
||
+ | mkdir -p ${CERTS_PATH} |
||
+ | AZ=1 |
||
− | Full Name: |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
− | URI:http://vault.home:8200/v1/k8s_pki_root_ca/crl |
||
+ | BALANCER_DOMAIN="etcd.k8s.cluster.home" |
||
+ | NAME="${DOMAIN}-server" |
||
+ | IP="10.0.11.1" |
||
+ | vault \ |
||
− | Signature Algorithm: sha256WithRSAEncryption |
||
+ | login \ |
||
− | 65:f8:9d:6c:6d:6a:14:d3:37:32:ae:c1:de:26:f3:c8:9f:e6: |
||
+ | -method=userpass \ |
||
− | ... |
||
+ | username="${NAME}-user" \ |
||
− | 42:08:aa:6b:41:63:8a:db:df:61:03:b6:a8:8c:52:08:99:2d: |
||
+ | password="${NAME}-password" |
||
− | fa:40:f7:56 |
||
− | </PRE> |
||
− | ==== |
+ | echo "========" |
+ | vault \ |
||
− | Окончательная проверка цепочки доверия |
||
+ | write \ |
||
− | <br> |
||
+ | -format=json \ |
||
− | Корневой Сертификат → Промежуточный для СА Etcd → Тестовый Сертификат |
||
+ | ${PKI_NAME}/issue/${NAME}-role \ |
||
+ | common_name="${DOMAIN}" \ |
||
+ | alt_names="${DOMAIN},${BALANCER_DOMAIN}" \ |
||
+ | ip_sans="${IP}" \ |
||
+ | ca=false \ |
||
+ | ttl="43800h" \ |
||
+ | > ${CERTS_PATH}/${DOMAIN}.crt.json |
||
+ | cat \ |
||
+ | ${CERTS_PATH}/${DOMAIN}.crt.json \ |
||
+ | | jq -r '.data.private_key' > ${CERTS_PATH}/${DOMAIN}.key |
||
+ | cat \ |
||
− | * Корневой сертификат не является секретным (в отличие от ключа!) и его всегда можно скачать с Vault: |
||
+ | ${CERTS_PATH}/${DOMAIN}.crt.json \ |
||
− | <PRE> |
||
+ | | jq -r '.data.certificate' > ${CERTS_PATH}/${DOMAIN}.pem |
||
− | echo "-----BEGIN CERTIFICATE-----" > k8s_pki_root_ca.pem && \ |
||
− | curl "http://vault.home:8200/v1/k8s_pki_root_ca/ca" | base64 >> k8s_pki_root_ca.pem && \ |
||
− | echo "-----END CERTIFICATE-----" >> k8s_pki_root_ca.pem |
||
− | </PRE> |
||
− | * Указать промежуточный как untrusted (или добавить в доверенные) |
||
− | <PRE> |
||
− | openssl \ |
||
− | verify \ |
||
− | -verbose \ |
||
− | -CAfile k8s_pki_root_ca.pem \ |
||
− | -untrusted vault.example.home.issuing_ca.pem \ |
||
− | vault.example.home.certificate.pem |
||
− | </PRE> |
||
− | <PRE> |
||
− | vault.example.home.certificate.pem: OK |
||
− | </PRE> |
||
− | Однако в этой команде меня смущает слово '''-untrusted''' |
||
+ | cat \ |
||
− | Второй способ - это создание "бандла" (те поместить в один файл промежуточный CA а за ним сертификат) |
||
+ | ${CERTS_PATH}/${DOMAIN}.crt.json \ |
||
− | <PRE> |
||
+ | | jq -r '.data.ca_chain[]' >> ${CERTS_PATH}/${DOMAIN}.pem |
||
− | cat vault.example.home.issuing_ca.pem > vault.example.home.ca_bundle |
||
+ | |||
− | cat vault.example.home.certificate.pem >> vault.example.home.ca_bundle |
||
+ | ln -sf ${CERTS_PATH}/${DOMAIN}.key ${CERTS_PATH}/etcd-server-to-client-key.pem |
||
+ | ln -sf ${CERTS_PATH}/${DOMAIN}.pem ${CERTS_PATH}/etcd-server-to-client-crt.pem |
||
</PRE> |
</PRE> |
||
− | Теперь верификация проходит без беспокоящего '''-untrusted''' |
||
− | <PRE> |
||
− | openssl \ |
||
− | verify \ |
||
− | -verbose \ |
||
− | -CAfile k8s_pki_root_ca.pem \ |
||
− | vault.example.home.ca_bundle |
||
− | </PRE> |
||
− | <PRE> |
||
− | vault.example.home.ca_bundle: OK |
||
− | </PRE> |
||
− | ====Верефикация c nginx==== |
||
− | Для полноты картины создадим тестовый web-сервер и используем подписанный сертификат |
||
+ | =Вернуться к настройке <code>ETCd</code>= |
||
− | * Пример виртуалхоста |
||
+ | В этом месте уже есть все сертификаты для того что бы запустить <code>etcd</code> с client-server SSL<BR> |
||
− | * Путь к ключу и сертификату (ключ можно получить из оригинального вывода Vault при создании сертификата, |
||
+ | Можно вернуться от выписывания сертификатов к [[Kubernetes_the_hard_way_etcd_setup#Peer-to-Peer_SSL|настойке ETCd]] |
||
+ | |||
+ | |||
+ | |||
+ | |||
+ | =Роли и пользователи для клиентских сертификатов= |
||
+ | ==Роли для получения клиентских сертификатов== |
||
<PRE> |
<PRE> |
||
+ | #!/bin/bash |
||
− | ssl_certificate /etc/nginx/certs/vault.example.home.ca_bundle; |
||
+ | |||
− | ssl_certificate_key /etc/nginx/certs/vault.example.home.key; |
||
+ | source ./00_env |
||
+ | |||
+ | |||
+ | for AZ in $(seq 1 3); |
||
+ | do |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
+ | NAME="${DOMAIN}-client" |
||
+ | |||
+ | |||
+ | vault \ |
||
+ | write \ |
||
+ | ${PKI_NAME}/roles/${NAME}-role \ |
||
+ | country="Ukraine" \ |
||
+ | locality="Kharkov" \ |
||
+ | street_address="Lui Pastera st 322 app. 311"\ |
||
+ | postal_code="61172" \ |
||
+ | organization="Home Network" \ |
||
+ | ou="IT" \ |
||
+ | allow_subdomains=false \ |
||
+ | max_ttl="87600h" \ |
||
+ | key_bits="2048" \ |
||
+ | key_type="rsa" \ |
||
+ | allow_any_name=true \ |
||
+ | allow_bare_domains=true \ |
||
+ | allow_glob_domain=false \ |
||
+ | allow_ip_sans=true \ |
||
+ | allow_localhost=false \ |
||
+ | client_flag=true \ |
||
+ | server_flag=false \ |
||
+ | enforce_hostnames=true \ |
||
+ | key_usage="DigitalSignature,KeyEncipherment" \ |
||
+ | ext_key_usage="ClientAuth" \ |
||
+ | require_cn=true |
||
+ | done |
||
</PRE> |
</PRE> |
||
+ | ==Создание политики, пользователя и привязка политики к пользователю== |
||
− | '''Формат в nginx отличается''' - в файле /etc/nginx/certs/vault.example.home.ca_bundle СНАЧАЛА идет сертификат сервера, а потом - промежуточный сертификат (https://nginx.org/en/docs/http/configuring_https_servers.html) |
||
<PRE> |
<PRE> |
||
+ | #!/bin/bash |
||
− | * Полный конфиг |
||
− | server { |
||
− | listen 8203 default_server ssl; |
||
− | root /var/www/html; |
||
− | server_name vault.example.home; |
||
− | access_log /var/log/nginx/vault.example.home-access.log postdata; |
||
− | error_log /var/log/nginx/vault.example.home-error.log; |
||
+ | source ./00_env |
||
− | ssl_certificate /etc/nginx/certs/vault.example.home.ca_bundle; |
||
− | ssl_certificate_key /etc/nginx/certs/vault.example.home.key; |
||
− | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
||
− | ssl_ciphers HIGH:!aNULL:!MD5; |
||
+ | |||
− | location / { |
||
+ | for AZ in $(seq 1 3); |
||
− | client_body_buffer_size 64k; |
||
+ | do |
||
− | client_body_in_single_buffer on; |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
− | proxy_pass http://127.0.0.1:8200; |
||
+ | NAME="${DOMAIN}-client" |
||
− | proxy_set_header Host $host:$server_port; |
||
+ | |||
− | proxy_set_header X-Real-IP $remote_addr; |
||
+ | cat << EOF > ${NAME}-policy.hlc |
||
− | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||
+ | path "${PKI_NAME}/issue/${NAME}-role" |
||
− | proxy_set_header X-Forwarded-Proto $scheme; |
||
+ | { |
||
− | proxy_http_version 1.1; |
||
+ | capabilities = ["read", "create", "list", "update"] |
||
− | proxy_request_buffering off; |
||
− | } |
||
} |
} |
||
+ | EOF |
||
− | </PRE> |
||
+ | vault \ |
||
− | Для того что бы проверить, нужно на том хосте откуда делается запрос добавить сертификат СА в доверенные |
||
+ | policy \ |
||
− | * в /usr/local/share/ca-certificates/extra положить СА (его всегда можно скачать) |
||
+ | write \ |
||
− | * запустить update-ca-certificates |
||
+ | ${NAME}-policy \ |
||
− | <PRE> |
||
+ | ${NAME}-policy.hlc |
||
− | # update-ca-certificates |
||
+ | vault \ |
||
− | </PRE> |
||
+ | write \ |
||
− | <PRE> |
||
+ | auth/userpass/users/${NAME}-user \ |
||
− | Updating certificates in /etc/ssl/certs... |
||
+ | password=${NAME}-password \ |
||
− | 1 added, 0 removed; done. |
||
+ | policies=" ${NAME}-policy,default" |
||
− | Running hooks in /etc/ca-certificates/update.d... |
||
+ | done |
||
− | Adding debian:k8s_pki_root_ca.pem |
||
− | done. |
||
− | done. |
||
</PRE> |
</PRE> |
||
+ | ==Просмотр созданных политик== |
||
− | После этого curl может подключиться без ошибок верефикации |
||
<PRE> |
<PRE> |
||
+ | #!/bin/bash |
||
− | curl -v https://vault.example.home:8203 |
||
− | </PRE> |
||
− | <PRE> |
||
− | * successfully set certificate verify locations: |
||
− | * CAfile: none |
||
− | CApath: /etc/ssl/certs |
||
− | * TLSv1.3 (OUT), TLS handshake, Client hello (1): |
||
− | * TLSv1.3 (IN), TLS handshake, Server hello (2): |
||
− | * TLSv1.2 (IN), TLS handshake, Certificate (11): |
||
− | * TLSv1.2 (IN), TLS handshake, Server key exchange (12): |
||
− | * TLSv1.2 (IN), TLS handshake, Server finished (14): |
||
− | * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): |
||
− | * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): |
||
− | * TLSv1.2 (OUT), TLS handshake, Finished (20): |
||
− | * TLSv1.2 (IN), TLS handshake, Finished (20): |
||
− | * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 |
||
− | * ALPN, server accepted to use http/1.1 |
||
− | * Server certificate: |
||
− | * subject: C=Ukraine; L=Kharkov; street=Lui Pastera st 322 app. 311; postalCode=61172; O=Home Network; OU=IT; CN=vault.example.home |
||
− | * start date: Oct 6 11:41:54 2022 GMT |
||
− | * expire date: Oct 5 11:42:20 2027 GMT |
||
− | * subjectAltName: host "vault.example.home" matched cert's "vault.example.home" |
||
− | * issuer: C=Ukraine; L=Kharkov; street=Lui Pastera st. 322 app. 131; postalCode=61172; O=K8s The Hardest Way Labs; OU=IT; CN=Intermediate CA for service ETCd |
||
− | * SSL certificate verify ok. |
||
− | > GET / HTTP/1.1 |
||
− | > Host: vault.example.home:8203 |
||
− | > User-Agent: curl/7.64.0 |
||
− | > Accept: */* |
||
− | > |
||
− | < HTTP/1.1 404 Not Found |
||
− | < Server: nginx/1.14.2 |
||
− | < Date: Fri, 07 Oct 2022 17:22:22 GMT |
||
− | < Content-Type: text/plain; charset=utf-8 |
||
− | < Content-Length: 19 |
||
− | < Connection: keep-alive |
||
− | < Cache-Control: no-store |
||
− | < X-Content-Type-Options: nosniff |
||
− | </PRE> |
||
− | Код 404 тут ожидаем так как нет задачи получить данные, а только проверить правильность настройки SSL |
||
− | ==Получение клиентского сертефиката== |
||
− | ====Проверка прав (негативный сценарий)==== |
||
− | С "серверным" пользователем - нет прав |
||
− | <PRE> |
||
source ./00_env |
source ./00_env |
||
+ | echo "---------ROLES---------------------" |
||
− | |||
vault \ |
vault \ |
||
− | + | list \ |
|
+ | ${PKI_NAME}/roles |
||
− | -method=userpass \ |
||
+ | echo "---------USERS---------------------" |
||
− | username=example-dot-home-server-crt-user \ |
||
+ | vault \ |
||
− | password=server |
||
+ | list \ |
||
− | </PRE> |
||
+ | auth/userpass/users |
||
− | <PRE> |
||
+ | echo "------------------------------" |
||
− | Success! You are now authenticated. The token information displayed below |
||
− | is already stored in the token helper. You do NOT need to run "vault login" |
||
− | again. Future Vault requests will automatically use this token. |
||
+ | for AZ in $(seq 1 3); |
||
− | Key Value |
||
+ | do |
||
− | --- ----- |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
− | token s.P9nYzZ3Pev2IeNKaUYvDIDdt |
||
+ | NAME="${DOMAIN}-client-and-server" |
||
− | token_accessor AbXtLIzNhYJRvv6paZr3U6cn |
||
+ | vault \ |
||
− | token_duration 768h |
||
− | + | policy \ |
|
+ | read \ |
||
− | token_policies ["default" "example-dot-home-server-crt-policy"] |
||
+ | ${NAME}-policy |
||
− | identity_policies [] |
||
+ | |||
− | policies ["default" "example-dot-home-server-crt-policy"] |
||
+ | vault \ |
||
− | token_meta_username example-dot-home-server-crt-user |
||
+ | read \ |
||
+ | auth/userpass/users/${NAME}-user |
||
+ | |||
+ | done |
||
</PRE> |
</PRE> |
||
+ | {{#spoiler:show=Результат (много текста)| |
||
<PRE> |
<PRE> |
||
+ | ---------ROLES--------------------- |
||
− | vault \ |
||
+ | Keys |
||
− | write \ |
||
+ | ---- |
||
− | -format=json \ |
||
+ | etcd.master.az1.k8s.cluster.home-client-and-server-role |
||
− | ${PKI_NAME}/issue/example-dot-home-client-crt \ |
||
+ | etcd.master.az1.k8s.cluster.home-client-role |
||
− | common_name="vault.example.home" \ |
||
+ | etcd.master.az1.k8s.cluster.home-server-role |
||
− | alt_names="pki.example.home" \ |
||
+ | etcd.master.az2.k8s.cluster.home-client-and-server-role |
||
− | ttl="43800h" > vault.example.home-client.crt |
||
+ | etcd.master.az2.k8s.cluster.home-client-role |
||
+ | etcd.master.az2.k8s.cluster.home-server-role |
||
+ | etcd.master.az3.k8s.cluster.home-client-and-server-role |
||
+ | etcd.master.az3.k8s.cluster.home-client-role |
||
+ | etcd.master.az3.k8s.cluster.home-server-role |
||
+ | example-dot-home-client-crt |
||
+ | example-dot-home-server-crt |
||
+ | ---------USERS--------------------- |
||
+ | Keys |
||
+ | ---- |
||
+ | etcd.master.az1.k8s.cluster.home-client-and-server-user |
||
+ | etcd.master.az1.k8s.cluster.home-client-user |
||
+ | etcd.master.az1.k8s.cluster.home-server-user |
||
+ | etcd.master.az2.k8s.cluster.home-client-and-server-user |
||
+ | etcd.master.az2.k8s.cluster.home-client-user |
||
+ | etcd.master.az2.k8s.cluster.home-server-user |
||
+ | etcd.master.az3.k8s.cluster.home-client-and-server-user |
||
+ | etcd.master.az3.k8s.cluster.home-client-user |
||
+ | etcd.master.az3.k8s.cluster.home-server-user |
||
+ | example-dot-home-any-crt-user |
||
+ | example-dot-home-client-crt-user |
||
+ | example-dot-home-server-crt-user |
||
+ | vault-dot-home-server-crt-user |
||
+ | ------------------------------ |
||
+ | path "k8s_pki_intermediate_ca_for_service_etcd/issue/etcd.master.az1.k8s.cluster.home-client-and-server-role" |
||
+ | { |
||
+ | capabilities = ["read", "create", "list", "update"] |
||
+ | } |
||
+ | Key Value |
||
+ | --- ----- |
||
+ | policies [default etcd.master.az1.k8s.cluster.home-client-and-server-policy] |
||
+ | token_bound_cidrs [] |
||
+ | token_explicit_max_ttl 0s |
||
+ | token_max_ttl 0s |
||
+ | token_no_default_policy false |
||
+ | token_num_uses 0 |
||
+ | token_period 0s |
||
+ | token_policies [default etcd.master.az1.k8s.cluster.home-client-and-server-policy] |
||
+ | token_ttl 0s |
||
+ | token_type default |
||
+ | path "k8s_pki_intermediate_ca_for_service_etcd/issue/etcd.master.az2.k8s.cluster.home-client-and-server-role" |
||
+ | { |
||
+ | capabilities = ["read", "create", "list", "update"] |
||
+ | } |
||
+ | Key Value |
||
+ | --- ----- |
||
+ | policies [default etcd.master.az2.k8s.cluster.home-client-and-server-policy] |
||
+ | token_bound_cidrs [] |
||
+ | token_explicit_max_ttl 0s |
||
+ | token_max_ttl 0s |
||
+ | token_no_default_policy false |
||
+ | token_num_uses 0 |
||
+ | token_period 0s |
||
+ | token_policies [default etcd.master.az2.k8s.cluster.home-client-and-server-policy] |
||
+ | token_ttl 0s |
||
+ | token_type default |
||
+ | path "k8s_pki_intermediate_ca_for_service_etcd/issue/etcd.master.az3.k8s.cluster.home-client-and-server-role" |
||
+ | { |
||
+ | capabilities = ["read", "create", "list", "update"] |
||
+ | } |
||
+ | Key Value |
||
+ | --- ----- |
||
+ | policies [default etcd.master.az3.k8s.cluster.home-client-and-server-policy] |
||
+ | token_bound_cidrs [] |
||
+ | token_explicit_max_ttl 0s |
||
+ | token_max_ttl 0s |
||
+ | token_no_default_policy false |
||
+ | token_num_uses 0 |
||
+ | token_period 0s |
||
+ | token_policies [default etcd.master.az3.k8s.cluster.home-client-and-server-policy] |
||
+ | token_ttl 0s |
||
+ | token_type default |
||
</PRE> |
</PRE> |
||
+ | }} |
||
− | <PRE> |
||
− | Error writing data to k8s_pki_intermediate_ca_for_service_etcd/issue/example-dot-home-client-crt: Error making API request. |
||
− | URL: PUT http://127.0.0.1:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/issue/example-dot-home-client-crt |
||
− | Code: 403. Errors: |
||
− | * 1 error occurred: |
||
− | * permission denied |
||
+ | =Получение клиентского сертификата= |
||
− | </PRE> |
||
+ | * cn это имя пользователя и (пока не настроена дополнительная авторизация) это произвольное значение |
||
− | Результат соответствует ожидаемому. |
||
+ | * на нодах меняются домены, роли и пользователи |
||
− | ====Получение клиентского сертификата c правильным пользователем==== |
||
<PRE> |
<PRE> |
||
+ | #!/bin/bash |
||
+ | |||
+ | PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd" |
||
+ | CERTS_PATH="/etc/etcd/certs/client" |
||
+ | mkdir -p ${CERTS_PATH} |
||
+ | AZ=1 |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
+ | NAME="${DOMAIN}-client" |
||
+ | USERNAME="master-${AZ}" |
||
vault \ |
vault \ |
||
login \ |
login \ |
||
-method=userpass \ |
-method=userpass \ |
||
− | username= |
+ | username="${NAME}-user" \ |
− | password= |
+ | password="${NAME}-password" |
+ | echo "========" |
||
vault \ |
vault \ |
||
write \ |
write \ |
||
− | + | -format=json \ |
|
− | + | ${PKI_NAME}/issue/${NAME}-role \ |
|
− | + | common_name="${USERNAME}" \ |
|
+ | ca=false \ |
||
− | alt_names="pki.example.home" \ |
||
− | + | ttl="43800h" \ |
|
+ | > ${CERTS_PATH}/${USERNAME}.crt.json |
||
+ | cat \ |
||
− | Success! You are now authenticated. The token information displayed below |
||
+ | ${CERTS_PATH}/${USERNAME}.crt.json \ |
||
− | is already stored in the token helper. You do NOT need to run "vault login" |
||
+ | | jq -r '.data.private_key' > ${CERTS_PATH}/${USERNAME}.key |
||
− | again. Future Vault requests will automatically use this token. |
||
+ | cat \ |
||
− | Key Value |
||
+ | ${CERTS_PATH}/${USERNAME}.crt.json \ |
||
− | --- ----- |
||
+ | | jq -r '.data.certificate' > ${CERTS_PATH}/${USERNAME}.pem |
||
− | token s.vAKcP6hGLv9OHkm8ToBHFq5M |
||
+ | |||
− | token_accessor OoNShUinoMhne5s8scFcZ0Hm |
||
+ | cat \ |
||
− | token_duration 768h |
||
+ | ${CERTS_PATH}/${USERNAME}.crt.json \ |
||
− | token_renewable true |
||
+ | | jq -r '.data.ca_chain[]' >> ${CERTS_PATH}/${USERNAME}.pem |
||
− | token_policies ["default" "example-dot-home-client-crt-policy" "example-dot-home-server-crt-policy"] |
||
+ | |||
− | identity_policies [] |
||
+ | ln -sf ${CERTS_PATH}/${USERNAME}.key ${CERTS_PATH}/etcd-client-key.pem |
||
− | policies ["default" "example-dot-home-client-crt-policy" "example-dot-home-server-crt-policy"] |
||
+ | ln -sf ${CERTS_PATH}/${USERNAME}.pem ${CERTS_PATH}/etcd-client-crt.pem |
||
− | token_meta_username example-dot-home-any-crt-user |
||
</PRE> |
</PRE> |
||
+ | |||
− | =====Проверка полученного результата===== |
||
<PRE> |
<PRE> |
||
+ | openssl x509 -noout -text -in master-1.pem |
||
− | cat vault.example.home-client.crt.json | jq -r '.data.certificate' > vault.example.home-client.crt |
||
− | cat vault.example.home-client.crt.json | jq -r '.data.private_key' > vault.example.home-client.key |
||
</PRE> |
</PRE> |
||
− | <PRE> |
||
− | X509v3 Extended Key Usage: |
||
− | TLS Web Client Authentication |
||
− | </PRE> |
||
− | |||
− | <PRE> |
||
− | openssl x509 -noout -text -in certificate_client.pem |
||
<PRE> |
<PRE> |
||
Certificate: |
Certificate: |
||
Data: |
Data: |
||
+ | ... |
||
− | Version: 3 (0x2) |
||
+ | Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st 322 app. 311, postalCode = 61172, O = Home Network, OU = IT, CN = master-1 |
||
− | Serial Number: |
||
+ | ... |
||
− | 51:de:46:e0:72:1e:2b:28:30:3b:9e:94:f4:da:71:f8:19:5e:26:6d |
||
+ | </PRE> |
||
− | Signature Algorithm: sha256WithRSAEncryption |
||
− | Issuer: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = K8s The Hardest Way Labs, OU = IT, CN = Intermediate CA for service ETCd |
||
− | Validity |
||
− | Not Before: Oct 8 16:53:43 2022 GMT |
||
− | Not After : Oct 7 16:54:10 2027 GMT |
||
− | Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = Home Network, OU = IT, CN = vault.example.home |
||
− | Subject Public Key Info: |
||
− | Public Key Algorithm: rsaEncryption |
||
− | RSA Public-Key: (2048 bit) |
||
− | Modulus: |
||
− | 00:c3:21:f6:55:f9:f0:a7:19:52:b9:22:a6:9a:99: |
||
− | ... |
||
− | 05:e5 |
||
− | Exponent: 65537 (0x10001) |
||
− | X509v3 extensions: |
||
− | X509v3 Key Usage: critical |
||
− | Digital Signature |
||
− | X509v3 Extended Key Usage: |
||
− | TLS Web Client Authentication |
||
− | X509v3 Subject Key Identifier: |
||
− | C9:F1:9F:83:D7:0B:B8:F2:7E:BB:84:D1:FE:6F:7E:75:7B:40:F4:86 |
||
− | X509v3 Authority Key Identifier: |
||
− | keyid:60:41:31:79:58:90:A9:63:62:C2:26:FD:8F:02:B6:07:1A:1D:5C:50 |
||
+ | =Вернуться к настройке <code>ETCd</code>= |
||
− | Authority Information Access: |
||
+ | В этом месте уже есть все сертификаты для того что бы запустить <code>etcd</code> с peer-to-peer SSL<BR> |
||
− | CA Issuers - URI:http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/ca |
||
+ | Можно вернуться от выписывания сертификатов к [[Kubernetes_the_hard_way_etcd_setup#Peer-to-Peer_SSL|настройке ETCd]] |
||
− | X509v3 Subject Alternative Name: |
||
− | DNS:pki.example.home, DNS:vault.example.home |
||
− | X509v3 CRL Distribution Points: |
||
+ | =Сертификаты для авторизации с именем пользователя в <code>ETCd</code>= |
||
− | Full Name: |
||
− | URI:http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/crl |
||
+ | ==Дополнительная настройка PKI== |
||
− | Signature Algorithm: sha256WithRSAEncryption |
||
+ | '''Важно''' - разрешить произвольный CN (а не только валидные домены) <code>allow_any_name=true </code> |
||
− | 94:bb:a8:54:41:86:16:75:06:e7:fb:5a:5f:e0:56:61:5d:ff: |
||
− | ... |
||
− | 3e:56:1a:6f |
||
− | </PRE> |
||
− | =====Проверка полученного результата===== |
||
− | Расширенная проверка - проверить что сертификат нельзя использовать в качестве серверного |
||
− | Конфиг nginx не отличается ничем кроме собственно содержимого сертификата |
||
− | * Ответ собственно и говорит об этом - '''unsupported certificate purpose''', клиентский сертификат не оч |
||
<PRE> |
<PRE> |
||
+ | #!/bin/bash |
||
− | curl: (60) SSL certificate problem: unsupported certificate purpose |
||
− | More details here: https://curl.haxx.se/docs/sslcerts.html |
||
+ | source ./00_env |
||
− | curl failed to verify the legitimacy of the server and therefore could not |
||
+ | |||
− | establish a secure connection to it. To learn more about this situation and |
||
+ | |||
− | how to fix it, please visit the web page mentioned above. |
||
+ | for AZ in $(seq 1 3); |
||
+ | do |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
+ | NAME="${DOMAIN}-client" |
||
+ | |||
+ | |||
+ | vault \ |
||
+ | write \ |
||
+ | ${PKI_NAME}/roles/${NAME}-role \ |
||
+ | country="Ukraine" \ |
||
+ | locality="Kharkov" \ |
||
+ | street_address="Lui Pastera st 322 app. 311"\ |
||
+ | postal_code="61172" \ |
||
+ | organization="Home Network" \ |
||
+ | ou="IT" \ |
||
+ | allow_subdomains=false \ |
||
+ | max_ttl="87600h" \ |
||
+ | key_bits="2048" \ |
||
+ | key_type="rsa" \ |
||
+ | allow_any_name=true \ |
||
+ | allow_bare_domains=true \ |
||
+ | allow_glob_domain=false \ |
||
+ | allow_ip_sans=true \ |
||
+ | allow_localhost=false \ |
||
+ | client_flag=true \ |
||
+ | server_flag=false \ |
||
+ | enforce_hostnames=true \ |
||
+ | key_usage="DigitalSignature,KeyEncipherment" \ |
||
+ | ext_key_usage="ClientAuth" \ |
||
+ | require_cn=true |
||
+ | done |
||
</PRE> |
</PRE> |
||
+ | В остальном настройки такие же как и в предыдущем случае |
||
+ | |||
+ | ==Получение сертификата для имени пользователя== |
||
− | ===Проверка прав для пользователя any=== |
||
− | * работает каки ожидалось - можно получить сертификаты как для сервера так и для клиента |
||
<PRE> |
<PRE> |
||
#!/bin/bash |
#!/bin/bash |
||
+ | PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd" |
||
+ | CERTS_PATH="/etc/etcd/certs/client" |
||
+ | mkdir -p ${CERTS_PATH} |
||
+ | AZ=1 |
||
− | source ./00_env |
||
+ | DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" |
||
− | unset VAULT_TOKEN |
||
+ | NAME="${DOMAIN}-client" |
||
− | |||
− | |||
− | vault \ |
||
− | login \ |
||
− | -method=userpass \ |
||
− | username=example-dot-home-any-crt-user \ |
||
− | password=any |
||
+ | USERNAME="kubeapiserver" |
||
+ | echo "========" |
||
vault \ |
vault \ |
||
write \ |
write \ |
||
-format=json \ |
-format=json \ |
||
− | ${PKI_NAME}/issue/ |
+ | ${PKI_NAME}/issue/${NAME}-role \ |
− | common_name=" |
+ | common_name="${USERNAME}" \ |
− | + | ca=false \ |
|
− | ttl="43800h" |
+ | ttl="43800h" \ |
+ | > ${CERTS_PATH}/${USERNAME}.crt.json |
||
+ | cat \ |
||
+ | ${CERTS_PATH}/${USERNAME}.crt.json \ |
||
+ | | jq -r '.data.private_key' > ${CERTS_PATH}/${USERNAME}.key |
||
− | + | cat \ |
|
+ | ${CERTS_PATH}/${USERNAME}.crt.json \ |
||
− | write \ |
||
+ | | jq -r '.data.certificate' > ${CERTS_PATH}/${USERNAME}.pem |
||
− | -format=json \ |
||
+ | |||
− | ${PKI_NAME}/issue/example-dot-home-server-crt \ |
||
+ | cat \ |
||
− | common_name="vault.example.home" \ |
||
+ | ${CERTS_PATH}/${USERNAME}.crt.json \ |
||
− | alt_names="pki.example.home" \ |
||
+ | | jq -r '.data.ca_chain[]' >> ${CERTS_PATH}/${USERNAME}.pem |
||
− | ttl="43800h" > vault.example.home.SERVER_by_any_user.json |
||
</PRE> |
</PRE> |
Текущая версия на 19:45, 14 ноября 2022
Вводная часть
Тут описывается создание сертификатов для etcd
Это продолжение Статьи про создание промежуточного СА
Упрощение работы
Путь к PKI (k8s_pki_intermediate_ca_for_service_etcd) встречается многократно, и он вынесен в переменную
cat 00_env
export PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd"
Роли и пользователи для peer-to-peer сертификатов
В кластере участвуют три сервера, соответственно для каждого из них требуется отдельные настройки - роль, пользователь ...
Роли для получения peer-to-peer сертификатов
Три зоны - три роли, по одной для каждого сервера
client_flag=true server_flag=true enforce_hostnames=true key_usage="DigitalSignature,KeyEncipherment" ext_key_usage="ClientAuth,ServerAuth"
#!/bin/bash source ./00_env for AZ in $(seq 1 3); do DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-client-and-server" vault \ write \ ${PKI_NAME}/roles/${NAME}-role \ country="Ukraine" \ locality="Kharkov" \ street_address="Lui Pastera st 322 app. 311"\ postal_code="61172" \ organization="Home Network" \ ou="IT" \ allowed_domains="${DOMAIN}" \ allow_subdomains=false \ max_ttl="87600h" \ key_bits="2048" \ key_type="rsa" \ allow_any_name=false \ allow_bare_domains=true \ allow_glob_domain=false \ allow_ip_sans=true \ allow_localhost=false \ client_flag=true \ server_flag=true \ enforce_hostnames=true \ key_usage="DigitalSignature,KeyEncipherment" \ ext_key_usage="ClientAuth,ServerAuth" \ require_cn=true done
Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master.az1.k8s.cluster.home-client-and-server-role Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master.az2.k8s.cluster.home-client-and-server-role Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master.az3.k8s.cluster.home-client-and-server-role
Создание политики, пользователя и привязка политики к пользователю
#!/bin/bash source ./00_env for AZ in $(seq 1 3); do DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-client-and-server" cat << EOF > ${NAME}-policy.hlc path "${PKI_NAME}/issue/${NAME}-role" { capabilities = ["read", "create", "list", "update"] } EOF vault \ policy \ write \ ${NAME}-policy \ ${NAME}-policy.hlc vault \ write \ auth/userpass/users/${NAME}-user \ password=${NAME}-password \ policies=" ${NAME}-policy,default" done
Success! Uploaded policy: etcd.master.az1.k8s.cluster.home-client-and-server-policy Success! Data written to: auth/userpass/users/etcd.master.az1.k8s.cluster.home-client-and-server-user Success! Uploaded policy: etcd.master.az2.k8s.cluster.home-client-and-server-policy Success! Data written to: auth/userpass/users/etcd.master.az2.k8s.cluster.home-client-and-server-user Success! Uploaded policy: etcd.master.az3.k8s.cluster.home-client-and-server-policy Success! Data written to: auth/userpass/users/etcd.master.az3.k8s.cluster.home-client-and-server-user
Просмотр созданных политик
#!/bin/bash source ./00_env echo "---------ROLES---------------------" vault \ list \ ${PKI_NAME}/roles echo "---------USERS---------------------" vault \ list \ auth/userpass/users echo "------------------------------" for AZ in $(seq 1 3); do DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-client-and-server" vault \ policy \ read \ ${NAME}-policy vault \ read \ auth/userpass/users/${NAME}-user done
Получение серверного сертификата (для соединения с между серверами, peer-to-peer)
- Получать непосредственно на нодах
- на нодах меняются домены, роли и пользователи
Запускать на всех трех нодах, путь /etc/etcd/certs/server
один и тот же,
сразу делать бандл из сертификата и промежуточного СА
Стараемся делать путь и имена файлов одинаковыми что-бы конфиги отличались минимально
#!/bin/bash PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd" CERTS_PATH="/etc/etcd/certs/server" mkdir -p ${CERTS_PATH} AZ=1 DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-client-and-server" vault \ login \ -method=userpass \ username="${NAME}-user" \ password="${NAME}-password" echo "========" vault \ write \ -format=json \ ${PKI_NAME}/issue/${NAME}-role \ common_name="${DOMAIN}" \ ttl="43800h" \ > ${CERTS_PATH}/${DOMAIN}.crt.json cat \ ${CERTS_PATH}/${DOMAIN}.crt.json \ | jq -r '.data.private_key' > ${CERTS_PATH}/${DOMAIN}.key cat \ ${CERTS_PATH}/${DOMAIN}.crt.json \ | jq -r '.data.certificate' > ${CERTS_PATH}/${DOMAIN}.pem cat \ ${CERTS_PATH}/${DOMAIN}.crt.json \ | jq -r '.data.ca_chain[]' >> ${CERTS_PATH}/${DOMAIN}.pem ln -sf ${CERTS_PATH}/${DOMAIN}.key ${CERTS_PATH}/etcd-server-key.pem ln -sf ${CERTS_PATH}/${DOMAIN}.pem ${CERTS_PATH}/etcd-server-crt.pem
Key Value --- ----- token s.7DfyaDzZZOb9fkV4NU8xR0Gw token_accessor cChs7RffaXPyrtLVmV9VGW8b token_duration 768h token_renewable true token_policies ["default" "etcd.master.az1.k8s.cluster.home-client-and-server-policy"] identity_policies [] policies ["default" "etcd.master.az1.k8s.cluster.home-client-and-server-policy"] token_meta_username etcd.master.az1.k8s.cluster.home-client-and-server-user ========
Вернуться к настройке ETCd
В этом месте уже есть все сертификаты для того что бы запустить etcd
с peer-to-peer SSL
Можно вернуться от выписывания сертификатов к настройке ETCd
Роли и пользователи для client-server сертификатов
- Для сертефиката который будет "клиентский-серверный":
Роли для клиент-серверного SSL
#!/bin/bash source ./00_env for AZ in $(seq 1 3); do DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-server" vault \ write \ ${PKI_NAME}/roles/${NAME}-role \ country="Ukraine" \ locality="Kharkov" \ street_address="Lui Pastera st 322 app. 311"\ postal_code="61172" \ organization="Home Network" \ ou="IT" \ allowed_domains="${DOMAIN},etcd.k8s.cluster.home" \ allow_subdomains=false \ max_ttl="87600h" \ key_bits="2048" \ key_type="rsa" \ allow_any_name=false \ allow_bare_domains=true \ allow_glob_domain=false \ allow_ip_sans=true \ allow_localhost=false \ client_flag=true \ server_flag=true \ enforce_hostnames=true \ key_usage="DigitalSignature,KeyEncipherment" \ ext_key_usage="ServerAuth" \ require_cn=true done
ВНЕЗАПНО оказалось что с новой версией etcd пришлось
- client_flag=true
- server_flag=true
- ext_key_usage="ServerAuth"
У меня нет пояснения почему так - в прошлых версиях client_flag=true
не требовался а сейчас возникает ошибка
WARNING: 2022/10/12 16:21:53 grpc: addrConn.createTransport failed to connect to {10.0.11.1:2379 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate". Reconnecting...
Создание политики, пользователя и привязка политики к пользователю
#!/bin/bash source ./00_env for AZ in $(seq 1 3); do DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-server" cat << EOF > ${NAME}-policy.hlc path "${PKI_NAME}/issue/${NAME}-role" { capabilities = ["read", "create", "list", "update"] } EOF vault \ policy \ write \ ${NAME}-policy \ ${NAME}-policy.hlc vault \ write \ auth/userpass/users/${NAME}-user \ password=${NAME}-password \ policies=" ${NAME}-policy,default" done
Просмотр созданных политик
#!/bin/bash source ./00_env echo "---------ROLES---------------------" vault \ list \ ${PKI_NAME}/roles echo "---------USERS---------------------" vault \ list \ auth/userpass/users echo "------------------------------" for AZ in $(seq 1 3); do DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-client-and-server" vault \ policy \ read \ ${NAME}-policy vault \ read \ auth/userpass/users/${NAME}-user done
Получение серверного сертификата (для client-server соединений)
- Получать непосредственно на нодах
- на нодах меняются домены, роли и пользователи
Запускать на всех трех нодах, путь /etc/etcd/certs/server-to-client"
один и тот же,
сразу делать бандл из сертификата и промежуточного СА.
Внимательно следить - доменные имена и IP нужно подправить для каждой ноды! (AZ=1,2,3)
#!/bin/bash PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd" #!/bin/bash PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd" CERTS_PATH="/etc/etcd/certs/server-to-client" mkdir -p ${CERTS_PATH} AZ=1 DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" BALANCER_DOMAIN="etcd.k8s.cluster.home" NAME="${DOMAIN}-server" IP="10.0.11.1" vault \ login \ -method=userpass \ username="${NAME}-user" \ password="${NAME}-password" echo "========" vault \ write \ -format=json \ ${PKI_NAME}/issue/${NAME}-role \ common_name="${DOMAIN}" \ alt_names="${DOMAIN},${BALANCER_DOMAIN}" \ ip_sans="${IP}" \ ca=false \ ttl="43800h" \ > ${CERTS_PATH}/${DOMAIN}.crt.json cat \ ${CERTS_PATH}/${DOMAIN}.crt.json \ | jq -r '.data.private_key' > ${CERTS_PATH}/${DOMAIN}.key cat \ ${CERTS_PATH}/${DOMAIN}.crt.json \ | jq -r '.data.certificate' > ${CERTS_PATH}/${DOMAIN}.pem cat \ ${CERTS_PATH}/${DOMAIN}.crt.json \ | jq -r '.data.ca_chain[]' >> ${CERTS_PATH}/${DOMAIN}.pem ln -sf ${CERTS_PATH}/${DOMAIN}.key ${CERTS_PATH}/etcd-server-to-client-key.pem ln -sf ${CERTS_PATH}/${DOMAIN}.pem ${CERTS_PATH}/etcd-server-to-client-crt.pem
Вернуться к настройке ETCd
В этом месте уже есть все сертификаты для того что бы запустить etcd
с client-server SSL
Можно вернуться от выписывания сертификатов к настойке ETCd
Роли и пользователи для клиентских сертификатов
Роли для получения клиентских сертификатов
#!/bin/bash source ./00_env for AZ in $(seq 1 3); do DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-client" vault \ write \ ${PKI_NAME}/roles/${NAME}-role \ country="Ukraine" \ locality="Kharkov" \ street_address="Lui Pastera st 322 app. 311"\ postal_code="61172" \ organization="Home Network" \ ou="IT" \ allow_subdomains=false \ max_ttl="87600h" \ key_bits="2048" \ key_type="rsa" \ allow_any_name=true \ allow_bare_domains=true \ allow_glob_domain=false \ allow_ip_sans=true \ allow_localhost=false \ client_flag=true \ server_flag=false \ enforce_hostnames=true \ key_usage="DigitalSignature,KeyEncipherment" \ ext_key_usage="ClientAuth" \ require_cn=true done
Создание политики, пользователя и привязка политики к пользователю
#!/bin/bash source ./00_env for AZ in $(seq 1 3); do DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-client" cat << EOF > ${NAME}-policy.hlc path "${PKI_NAME}/issue/${NAME}-role" { capabilities = ["read", "create", "list", "update"] } EOF vault \ policy \ write \ ${NAME}-policy \ ${NAME}-policy.hlc vault \ write \ auth/userpass/users/${NAME}-user \ password=${NAME}-password \ policies=" ${NAME}-policy,default" done
Просмотр созданных политик
#!/bin/bash source ./00_env echo "---------ROLES---------------------" vault \ list \ ${PKI_NAME}/roles echo "---------USERS---------------------" vault \ list \ auth/userpass/users echo "------------------------------" for AZ in $(seq 1 3); do DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-client-and-server" vault \ policy \ read \ ${NAME}-policy vault \ read \ auth/userpass/users/${NAME}-user done
Получение клиентского сертификата
- cn это имя пользователя и (пока не настроена дополнительная авторизация) это произвольное значение
- на нодах меняются домены, роли и пользователи
#!/bin/bash PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd" CERTS_PATH="/etc/etcd/certs/client" mkdir -p ${CERTS_PATH} AZ=1 DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-client" USERNAME="master-${AZ}" vault \ login \ -method=userpass \ username="${NAME}-user" \ password="${NAME}-password" echo "========" vault \ write \ -format=json \ ${PKI_NAME}/issue/${NAME}-role \ common_name="${USERNAME}" \ ca=false \ ttl="43800h" \ > ${CERTS_PATH}/${USERNAME}.crt.json cat \ ${CERTS_PATH}/${USERNAME}.crt.json \ | jq -r '.data.private_key' > ${CERTS_PATH}/${USERNAME}.key cat \ ${CERTS_PATH}/${USERNAME}.crt.json \ | jq -r '.data.certificate' > ${CERTS_PATH}/${USERNAME}.pem cat \ ${CERTS_PATH}/${USERNAME}.crt.json \ | jq -r '.data.ca_chain[]' >> ${CERTS_PATH}/${USERNAME}.pem ln -sf ${CERTS_PATH}/${USERNAME}.key ${CERTS_PATH}/etcd-client-key.pem ln -sf ${CERTS_PATH}/${USERNAME}.pem ${CERTS_PATH}/etcd-client-crt.pem
openssl x509 -noout -text -in master-1.pem
Certificate: Data: ... Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st 322 app. 311, postalCode = 61172, O = Home Network, OU = IT, CN = master-1 ...
Вернуться к настройке ETCd
В этом месте уже есть все сертификаты для того что бы запустить etcd
с peer-to-peer SSL
Можно вернуться от выписывания сертификатов к настройке ETCd
Сертификаты для авторизации с именем пользователя в ETCd
Дополнительная настройка PKI
Важно - разрешить произвольный CN (а не только валидные домены) allow_any_name=true
#!/bin/bash source ./00_env for AZ in $(seq 1 3); do DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-client" vault \ write \ ${PKI_NAME}/roles/${NAME}-role \ country="Ukraine" \ locality="Kharkov" \ street_address="Lui Pastera st 322 app. 311"\ postal_code="61172" \ organization="Home Network" \ ou="IT" \ allow_subdomains=false \ max_ttl="87600h" \ key_bits="2048" \ key_type="rsa" \ allow_any_name=true \ allow_bare_domains=true \ allow_glob_domain=false \ allow_ip_sans=true \ allow_localhost=false \ client_flag=true \ server_flag=false \ enforce_hostnames=true \ key_usage="DigitalSignature,KeyEncipherment" \ ext_key_usage="ClientAuth" \ require_cn=true done
В остальном настройки такие же как и в предыдущем случае
Получение сертификата для имени пользователя
#!/bin/bash PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd" CERTS_PATH="/etc/etcd/certs/client" mkdir -p ${CERTS_PATH} AZ=1 DOMAIN="etcd.master.az${AZ}.k8s.cluster.home" NAME="${DOMAIN}-client" USERNAME="kubeapiserver" echo "========" vault \ write \ -format=json \ ${PKI_NAME}/issue/${NAME}-role \ common_name="${USERNAME}" \ ca=false \ ttl="43800h" \ > ${CERTS_PATH}/${USERNAME}.crt.json cat \ ${CERTS_PATH}/${USERNAME}.crt.json \ | jq -r '.data.private_key' > ${CERTS_PATH}/${USERNAME}.key cat \ ${CERTS_PATH}/${USERNAME}.crt.json \ | jq -r '.data.certificate' > ${CERTS_PATH}/${USERNAME}.pem cat \ ${CERTS_PATH}/${USERNAME}.crt.json \ | jq -r '.data.ca_chain[]' >> ${CERTS_PATH}/${USERNAME}.pem