kubernetes: CA file when deploying via kops

Question

I have created a cluster on aws using kops.

However I am unable to find the file used as/by the certificate authority for spawning off client certs.

Does kops create such a thing by default?

If so, what is the recommended process for creating client certs?

The kops documentation is not very clear about this.

Answer 1

I've done it like this in the past:

1. Download the kops-generated CA certificate and signing key from S3:
   • s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/private/ca/*.key
   • s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/issued/ca/*.crt
2. Generate a client key: openssl genrsa -out client-key.pem 2048

3. Generate a CSR:

   openssl req -new \
     -key client-key.pem \
     -out client-csr.pem \
     -subj "/CN=<CLIENT_CN>/O=dev"`
   

4. Generate a client certificate:

   openssl x509 -req \
     -in client-csr.pem \
     -CA <PATH_TO_DOWNLOADED_CA_CERT> \
     -CAkey <PATH_TO_DOWNLOADED_CA_KEY> \
     -CAcreateserial \
     -out client-crt.pem \
     -days 10000
   

5. Base64-encode the client key, client certificate, and CA certificate, and populate those values in a config.yml, e.g. this
6. Distribute the populated config.yml to your developers.

5 and 6 can obviously be distributed by whatever means you want, don't need to make the config.yml for your developers.