Skip to content

Latest commit

 

History

History

self-signed-ca

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

README.md

README.md

 
 

certmanager.issuer.yaml

certmanager.issuer.yaml

 
 

create-root-ca-secret.sh

create-root-ca-secret.sh

 
 

secrect.ca.yaml

secrect.ca.yaml

 
 

README.md

Setup Kubermatic with self-signed CAs

easyrsa - create own CA (if needed)

easyrsa can manually generate certificates for your ingress.

  1. Download, unpack, and initialize the patched version of easyrsa3.

    curl -LO https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
tar xzf easy-rsa.tar.gz
cd easy-rsa-master/easyrsa3
./easyrsa init-pki

  2. Generate a new certificate authority (CA). --batch sets automatic mode; --req-cn specifies the Common Name (CN) for the CA's new root certificate.

    DOMAIN=YOURDOMAIN.loodse.training
./easyrsa --batch "--req-cn=$DOMAIN" build-ca nopass

    now a new private keypair has been generated:

    ./easy-rsa-master/easyrsa3/pki/private/ca.key
./easy-rsa-master/easyrsa3/pki/ca.crt

Configure Kubermatic

See Using a Custom CA

Update the cluster issuer of cert-manager in values.yaml:

Configure your custom ca as follows (for me Details see cert-manager.io - configuration > CA):

dex:
  ingress:
    # configure your base domain, under which the Kubermatic dashboard shall be available
    host: example.kubermatic.com

  # .....

  # the cert-manager Issuer (or ClusterIssuer) responsible for managing the certificates
  certIssuer:
    name: ca-prod
    kind: ClusterIssuer

Apply Cluster Issuer certmanager.issuer.yaml:

kubectl apply -f certmanager.issuer.yaml

Apply config changes of Kubermatic

(for OIDC auth) add caBundle

Create an CA Bundle with the created ca.crt file and may all others, see How do I make my own bundle file from CRT files?:

base64 -w 0 ./easy-rsa-master/easyrsa3/pki/ca.crt
## copy content in clipoard

add it to the KubermaticConfiguration object as base64 encoded caBundle:

apiVersion: operator.kubermatic.io/v1alpha1
kind: KubermaticConfiguration
metadata:
  name: kubermatic
  namespace: kubermatic
spec:
  # ....
  auth:
    caBundle: |
      -----BEGIN CERTIFICATE-----
      <certificate 1 here>
      -----END CERTIFICATE-----
    clientID: kubermatic
    issuerClientID: kubermaticIssuer
    # When using letsencrypt-prod replace with "false"
    skipTokenIssuerTLSVerify: true
    tokenIssuer: https://example.kubermatic.com/dex

Update Kubermatic and check

Run normal Installation script again and ensure:

  1. Check issuer is ready
kubectl get clusterissuers.cert-manager.io 
NAME                  READY   AGE
ca-prod               True    1m
letsencrypt-prod      True    12h
letsencrypt-staging   True    12h
  1. Certs have been created freshly (no old certs should be present)
kubectl get certificate -A
NAMESPACE    NAME         READY   SECRET           AGE
kubermatic   kubermatic   True    kubermatic-tls   1m
oauth        dex          True    dex-tls          1m

IMPORTANT: if certs are old or not ready, please redeploy the affected components oauth and kubermatic

  1. Check no crashing pods at ns kubermatic and oauth
kubectl get pods -n kubermatic
kubectl get pods -n oauth