Update certs

* use cert-machine instead of old cert-generator * Update _index.md * Update 8calico.md * Update 7bootstrap-workers.md
containerum · Feb 5, 2019 · 5fbf697 · 5fbf697
1 parent c5adac3
commit 5fbf697
Show file tree

Hide file tree

Showing 8 changed files with 142 additions and 179 deletions.
diff --git a/content/about/_index.md b/content/about/_index.md
@@ -21,7 +21,7 @@ Containerum documentation walks you through all aspects of Containerum installat
 
 **[About](/about)** contains Documentation overview.
 
-**[Installation](/installation/prerequirements)** contains describes how to bootstrap Kubernetes Distribution by Containerum (KDC) from binaries or using Containerum Element installer.  
+**[Installation](/installation/prerequirements)** describes how to bootstrap Kubernetes Distribution by Containerum (KDC) from binaries or using Containerum Element installer.  
 
 **[Plugins](/plugins/)** section describes how to install and configure plugins that work best with KDC.
 

diff --git a/content/installation/packages/2certificates.md b/content/installation/packages/2certificates.md
@@ -1,7 +1,7 @@
 ---
-title: Kubernetes Certificates
+title: Kubernetes Certificates and Kubeconfigs
 linktitle: Generate certificates
-description: Generation of certificates for etcd, kube-apiserver, kubelet, etc.
+description: Generation of certificates and kubeconfigs for etcd, kube-apiserver, kubelet, etc.
 
 categories: []
 keywords: []
@@ -16,124 +16,121 @@ draft: false
 
 # Certs preparation and generation
 
-This section describes how to generate Kubernetes certificates with Containerum kube-cert-generator.
+This section describes how to generate Kubernetes certificates with cert-machine.
 
 > **Note**: All steps in this article can be performed on your host machine or on any other machine with the ssh access to all of your nodes.
 
-## Generate certificates with Containerum kube-cert-generator
+## Generate certificates with cert-machine
 
-Download and build the script that helps generate and maintain certificate infrastructure sufficient to run a Kubernetes cluster:
+Download and build cert-machine that helps generate and maintain certificate infrastructure sufficient to run a Kubernetes cluster:
 ```bash
 {{< highlight bash >}}
 
-mkdir -p cert
-cd cert
-curl -OL https://github.com/containerum/kube-cert-generator/releases/download/v1.0.4/kube-cert-generator_linux_amd64_v1.0.4.tar.gz
-tar xvf kube-cert-generator_linux_amd64_*.tar.gz
-mv ca generator
-chmod +x generator
-rm -rfv kube-cert-generator_linux_amd64_*.tar.gz
+git clone https://github.com/nkmazur/cert_machine.git
+cargo install
+export PATH=$PATH:$HOME/.cargo/bin
 
 {{< / highlight >}}
 ```
 
 Config file `config.toml`:
-```
-overwrite_files = false  # If "true" overwrite exsisting files.
-
-validity_period = "24h" # default cert validity priod for all certificates.
-key_size = 2048 # RSA key size for all certs.
-
-[common_fields] # default parameters for all certs
-common_name = "Sample Cert"
-country = ["RU"]
-organization = ["org"]
-organization_unit = ["ou"]
-locality = []
-province = []
-street_address = []
-postal_code = []
-
-[master_node] # certificate for kubernetes control plane
-alias = "master"
-addresses = ["10.96.0.1", "192.0.2.1", "172.16.0.1", "172.16.0.2", "172.16.0.3"] # SAN for apiserver. Must contain all apiserver private addresses, public address (or public load balancer addr.) and cluster ip (10.96.0.1 here).
-
-
-[[worker_node]] # certificates for worker node
-alias = "node-01" # must be same as hostname of node.
-addresses = ["node-01", "172.16.0.11"] # internal ip addr and hostname of node
-
-[[worker_node]]
-alias = "node-02"
-addresses = ["node-02", "172.16.0.12"]
-
-[[etcd_node]] # certificates for etcd
-alias = "etcd1" # filename of etcd cert
-addresses = ["ectd1", "172.16.1.5"] # SAN for etcd
-
-[[etcd_node]]
-alias = "etcd2"
-addresses = ["ectd2", "172.16.1.6"]
-
-[[extra_cert]] # you can generate some custom cert
-name = "custom_cert"
-common_name = "custom.example.com"
-country = ["RU"]
-organization = ["org"]
-organization_unit = ["ou"]
-locality = []
-province = []
-street_address = []
-postal_code = []
-validity_period = "24h"
-key_size = 2048
-
-  [extra_cert.host] # SANs for custom cert
-  alias = "etcd2"
-  addresses = ["custom.example.com", "127.0.0.1", "172.16.0.111"]
-
-[ca] # certificate authority configuration
-root_dir = "cert"
-common_name = "Sample Cert"
-country = ["RU"]
-organization = ["org"]
-organization_unit = ["ou"]
-locality = []
-province = []
-street_address = []
-postal_code = []
-validity_period = "24h"
-key_size = 2048
+
+```toml
+cluster_name = "Test kubernetes cluster"  # Common name for certificate authority
+validity_days = 365  # Validity in days for non CA certificates
+master_san = ["10.96.0.1", "192.0.2.1", "172.16.0.1", "172.16.0.2", "172.16.0.3", "m1-test", "m2-test", "m3-test"]  # SAN for kube-apiserver certificate
+apiserver_internal_address = "192.0.2.1:6443"  # Apiserver address which will be writen in all kubeconfig files exclude admin.kubeconfig
+apiserver_external_address = "192.0.2.1:6443"  # Apiserver address which will be writen in admin and user kubeconfigs
+
+[[worker]]  # Worker node section
+hostname = "node-01" # Hostname of worker node
+san = ["172.16.0.11", "node-01"]  # SAN for kubelet server certificate
+
+[[worker]]
+hostname = "node-02"
+san = ["172.16.0.12", "node-02"]
+
+[[etcd_server]]  # Etcd node section
+hostname = "etcd1"  # Hostname of etcd node
+san = ["172.16.1.5", "etcd1"]  # SAN for etcd server and peer certificate
+
+[[etcd_server]]
+hostname = "etcd2"
+san = ["172.16.1.6", "etcd2"]
+
+[[etcd_server]]
+hostname = "etcd3"
+san = ["172.16.1.7", "etcd3"]
+
+[ca]  # Certificate authority section
+country = "LV"  # Country code can be presented in main CA cert. Optional
+organization = "Exon LV"  # Organization name can be presented in main CA cert. Optional
+organization_unit = "Kubernetes Ops"  # Organization unit can be presented in main CA cert. Optional
+locality = "Riga"  # Locality can be presented in main CA cert. Optional
+validity_days = 1000  # Validity in days for all CA certs
 ```
 
-Arguments:
+### Usage:
 
-`init-ca` - Initialize a CA.  
-`gen-csr` - Prepare configuration for generating a CSRs.  
-`sign file.crt` - Use CA to sign a CSR in file.csr. Result in file.crt.
+`new` - Create new CA.
+`gen-cert` - Create single certificate.
 
-The script does not remove or overwrite any files with non-zero length - it completes the file structure to its full state by generating missing files from the files they are dependent on.
+Cert-machine does not remove or overwrite any files. Instead it creates symlinks to files in the CA directory.
 
-For example, if you put files `admin.key` and `etcd1.key` into an empty directory, and call this script from there, it will use `.key` files provided by you for generation of the CA certificate and `admin.csr` (and consecutively `admin.crt`). If you want to re-issue a certificate, just remove its `.cey`, `.csr` and `.crt` files and rerun the script.
 
-The `init-ca` subcommand creates a new certificate authority from the `[ca]` template in `config.toml` file.
-The `gen-csr` subcommand generates a certificate signing requests for all services, using IP addresses and DNS names from the `config.toml` file.
-The `sign` subcommand signs CSR with CA key.
 
-### Usage examples
+The `new` subcommand generates a new certificate authority and signed certificates, using information about cluster from the `config.toml` file.
+The `gen-cert` subcommand generates TLS certificates and kubeconig for node.
+
+### Example
 
 To generate a valid certificates range create a valid config like the one described below and run following commands:
 
 ```
 {{< highlight bash >}}
-./generator init-ca
-./generator gen-csr
-./generator sign cert/*.csr
-cp certs/root/certs/root.crt cert/ca.crt
-cp certs/root/keys/root.key cert/ca.key
+cert-machine new
+Creating CA with name: Test kubernetes cluster
+Create CA: etcd
+Create CA: front proxy
+Creating cert for Kubernetes admin
+Creating cert for Kubernetes API server
+Creating cert for Kubernetes API server kubelet client
+Creating cert for Kubernetes ETCD client
+Creating cert for Kubernetes controller-manager
+Creating cert for Kubernetes scheduler
+Creating cert for front-proxy-client
+Creating cert for Kubernetes proxy
+Creating cert for node: node-01
+Creating server cert for node: node-01
+Creating cert for node: node-02
+Creating server cert for node: node-02
+Creating cert for etcd node: etcd1
+Creating cert for etcd node: etcd2
+Creating cert for etcd node: etcd3
+{{< / highlight >}}
+```
+
+## Distribute configuration files
+
+Distribute certificates and kubeconifgs across the nodes:
+```bash
+for instance in node-01 node-02 node-03; do
+  scp -r ${instance} ${instance}:~/
+done
+```
+
+Copy the master files to each controller:
+
+```bash
+{{< highlight bash >}}
+
+for instance in master-1 master-2 master-3; do
+  scp -r master/ ${instance}:~/
+done
+
 {{< / highlight >}}
 ```
 
-Done! You have generated a full certificate bundle for Kubernetes infrastructure.
+Done!
 
-Now you can proceed to creating [kubeconfig files](/installation/packages/3kubernetes-configuration-files).
+Now you can proceed to [etcd installation](/installation/packages/4etcd).
diff --git a/content/installation/packages/3kubernetes-configuration-files.md b/content/installation/packages/3kubernetes-configuration-files.md
@@ -11,7 +11,7 @@ menu:
     parent: "packages"
     weight: 4
 
-draft: false
+draft: true
 ---
 
 # Create authentication kubeconfig files
@@ -201,7 +201,7 @@ Distribute certificates across the nodes:
 ```bash
 for instance in node-01 node-02 node-03; do
   scp ca.crt ${instance}.crt ${instance}.key ${instance}:~/
-done 
+done
 ```
 
 Copy the appropriate kubeconfig files for `kubelet` and `kube-proxy` to each worker node:

diff --git a/content/installation/packages/4etcd.md b/content/installation/packages/4etcd.md
@@ -43,8 +43,9 @@ Run:
 ```bash
 {{< highlight bash >}}
 
-sudo cp ca.crt etcd.crt etcd.key /etc/ssl/etcd/
-sudo chown etcd:etcd /etc/ssl/etcd/*.key /etc/ssl/etcd/*.crt
+cd $ETCD_CERTS_DIR
+sudo cp * /etc/ssl/etcd/
+sudo chown etcd:etcd /etc/ssl/etcd/*
 sudo chmod 640 /etc/ssl/etcd/*.key
 
 {{< / highlight >}}
@@ -57,7 +58,7 @@ In the case of etcd installation to master nodes `ETCD_NODE_1_IP` is equal to `M
 Each etcd node must have a unique name within the cluster. Set the etcd node name to match the current node host name.
 
 ```bash
-ETCD_NAME=$(hostname -s)
+ETCD_NAME=$(hostname)
 ```
 
 Edit the etcd config file in `/etc/etcd/etcd.conf`:
@@ -73,12 +74,12 @@ ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1"
 ETCD_INITIAL_CLUSTER_STATE="new"
 ETCD_CERT_FILE="/etc/ssl/etcd/etcd.crt"
 ETCD_KEY_FILE="/etc/ssl/etcd/etcd.key"
-ETCD_TRUSTED_CA_FILE="/etc/ssl/etcd/ca.crt"
+ETCD_TRUSTED_CA_FILE="/etc/ssl/etcd/etcd-ca.crt"
 ETCD_CLIENT_CERT_AUTH="true"
 ETCD_PEER_CERT_FILE="/etc/ssl/etcd/etcd.crt"
 ETCD_PEER_KEY_FILE="/etc/ssl/etcd/etcd.key"
 ETCD_PEER_CLIENT_CERT_AUTH="true"
-ETCD_PEER_TRUSTED_CA_FILE="/etc/ssl/etcd/ca.crt"
+ETCD_PEER_TRUSTED_CA_FILE="/etc/ssl/etcd/etcd-ca.crt"
 EOF
 ```