Illumina Innovates with Rancher and Kubernetes
Available as of v0.2.0
By default, Kubernetes clusters require certificates and RKE auto-generates the certificates for all the Kubernetes services. RKE can also use custom certificates for these Kubernetes services.
When deploying Kubernetes with RKE, there are two additional options that can be used with rke up so that RKE uses custom certificates.
# Use certificates located in the default directory `/cluster_certs`
$ rke up --custom-certs
# Use certificates located in your own directory
$ rke up --custom-certs --cert-dir ~/my/own/certs
The following certificates must exist in the certificate directory.
* Is the same as kube-ca.pem
** Is the same as kube-ca-key
If you want to create and sign the certificates by a real Certificate Authority (CA), you can use RKE to generate a set of Certificate Signing Requests (CSRs) and keys. Using the rke cert generate-csr command, you can generate the CSRs and keys.
rke cert generate-csr
Set up your cluster.yml with the node information.
Run rke cert generate-csr to generate certificates for the node(s) in the cluster.yml. By default, the CSRs and keys will be saved in ./cluster_certs. To have them saved in a different directory, use --cert-dir to define what directory to have them saved in.
$ rke cert generate-csr
INFO Generating Kubernetes cluster CSR certificates
INFO [certificates] Generating Kubernetes API server csr
INFO [certificates] Generating Kube Controller csr
INFO [certificates] Generating Kube Scheduler csr
INFO [certificates] Generating Kube Proxy csr
INFO [certificates] Generating Node csr and key
INFO [certificates] Generating admin csr and kubeconfig
INFO [certificates] Generating Kubernetes API server proxy client csr
INFO [certificates] Generating etcd-x.x.x.x csr and key
INFO Successfully Deployed certificates at [./cluster_certs]
In addition to the CSRs, you also need to generate the kube-service-account-token-key.pem key. To do this, run the following:
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./cluster_certs/kube-service-account-token-key.pem -out ./cluster_certs/kube-service-account-token.pem
Result: The CSRs and keys will be deployed in ./cluster_certs directory, assuming you didn’t specify a --cert-dir. The CSR files will contain the right Alternative DNS and IP Names for the certificates. You can use them to sign the certificates by a real CA. After the certificates are signed, those certificates can be used by RKE as custom certificates.
$ tree cluster_certs
0 directories, 18 files