Client certificates

Now that our CA is configured and its certificate files generated, we can start issuing certificates for our admin user and for the kubelet on each worker node.

The process and the files that we are going to create are very similar to the CA ones, but with slight differences in the commands that we use to generate them.

Let's create a directory for our admin certs using the following command:

johndoe@management-vm$ mkdir ~/certs/admin/

johndoe@management-vm$ cd ~/certs/admin/

First, create the admin user certificate. This certificate is for our administrators to manage our cluster via kubectl.

Again, we will generate the json for the csr using the following command:

johndoe@management-vm$ cat << EOF > admin-csr.json 
{
  "CN": "admin",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "New York",
      "O": "system:masters",
      "OU": "Kubernetes",
      "ST": "NY"
    }
  ]
}
EOF

With our JSON ready, let's now sign and create the admin certificates using the following command:

johndoe@management-vm$ cfssl gencert \
  -ca=../ca.pem \
  -ca-key=../ca-key.pem \
  -config=../ca-config.json \
  -profile=kubernetes \
  admin-csr.json | cfssljson -bare admin

The process for creating the kubelet certificates is a little bit different compared to the admin and CA certs. The kubelet certificate requires us to have the hostname field filled up in the certificate, as this is how it will be identified.

Create the directory using the following command:

johndoe@management-vm$ mkdir ~/certs/kubelet/

johndoe@management-vm$ cd ~/certs/kubelet/

Then use the following command to create the json csr, in which not much has changed:

johndoe@management-vm$ cat << EOF > kube-node-1-csr.json
{
  "CN": "system:node:kube-node-1",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "New York",
      "O": "system:nodes",
      "OU": "Kubernetes",
      "ST": "NY"
    }
  ]
}
EOF

However, the process is a little bit different when it comes to generating the certs, as you can see from the following command:

johndoe@management-vm$ cfssl gencert \
  -ca=../ca.pem \
  -ca-key=../ca-key.pem \
  -config=../ca-config.json \
  -hostname=192.168.0.21,kube-node-1 \
  -profile=kubernetes \
  kube-node-1-csr.json | cfssljson -bare kube-node-1

As you can see, the hostname field will contain any IP or FQDN that the node will have. Now generate a cert for each worker node, filling in the information corresponding to the node that you are generating the cert for.