kubernetes-retired/kube-aws

How to pass CA authority certificate with generated certificates

mixecan opened this issue · 2 comments

mixecan commented

I signed the ca.pem with my company's CA authority. The cluster runs without any problem but SSL requests to the api server fail due to a failure in SSL verification. Requests are performed using the certificate in the service account.
The failure is expected as neither the service account certificate nor the node/pod have the certificate of the CA authority and so are unable to verify the cert chain.

Is there a correct way to pass the authority cert to the cluster?
I was planning to append it to the ca.pem file (and update the cluster deployment) but when a run kube-aws render credentials ... the ca.pem file is cleaned of the authority certificated.

dominicgunn commented

Sorry it took a while to get back to you, if I'm understanding the question with would this work for you?

$ kube-aws render credentials --ca-cert-path=./credentials/ca.pem --ca-key-path=./credentials/ca-key.pem
mixecan commented

That is the command that I use to generate the cluster certificates.
But I choose to sign the cluster CA certificate with my company's CA authority and I missed to provide its public key to the cluster nodes. This results in a failure in SSL verification when performing requests to the cluster API form within a pod.

In fact if I run curl -vI --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt https://kubernetes I get

*   Trying 10.3.0.1...
* Connected to 10.3.0.1 (10.3.0.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

How can I add our CA public key to the cluster nodes?