3.5.3 Setting up Private CA Certificates

This section shows you how to create a private CA, and use that to generate signed certificates for the nodes.

To generate certificates using a private CA:

  1. (Optional) You can set up keyless SSH between the operator node and the Kubernetes nodes to make it easier to copy the certificates to the nodes. For information on setting up keyless SSH, see Oracle® Linux: Connecting to Remote Systems With OpenSSH.

  2. Use the /etc/olcne/gen-certs-helper.sh script to generate a private CA and certificates for the nodes.

    Tip

    The gen-certs-helper.sh script saves the certificate files to the directory from which you run the script. The gen-certs-helper.sh script also creates a script you can use to copy the certificates to each Kubernetes node (olcne-transfer-certs.sh). If you run the gen-certs-helper.sh script from the /etc/olcne directory, it uses the default certificate directory used in this book (/etc/olcne/certificates/) when creating the olcne-transfer-certs.sh script. This means you can start up the Platform API Server, and the Platform Agent on Kubernetes nodes, using the default certificate directory locations as shown in this book. You could also use the --cert-dir option to specify the location to save the certificates and transfer script.

    Provide the nodes for which you want to create certificates using the --nodes option. You should create a certificate for each node that runs the Platform API Server or Platform Agent. That is, for the operator node, and each Kubernetes node. If you are deploying a multi-master Kubernetes deployment using a virtual IP address, you do not need to create a certificate for a virtual IP address.

    Provide the private CA information using the --cert-request* options (some, but not all, of these options are shown in the example). You can get a list of all command options using the gen-certs-helper.sh --help command.

    For example:

    $ cd /etc/olcne
    $ sudo ./gen-certs-helper.sh \
      --cert-request-organization-unit "My Company Unit" \
      --cert-request-organization "My Company" \
      --cert-request-locality "My Town" \
      --cert-request-state "My State" \
      --cert-request-country US \
      --cert-request-common-name cloud.example.com \
      --nodes operator.example.com,master1.example.com,worker1.example.com,worker2.example.com,worker3.example.com

    The certificates and keys for each node are generated and saved to the directory:

    /path/configs/certificates/tmp-olcne/node/

    Where path is the directory from which you ran the gen-certs-helper.sh script, or the location you set with the --cert-dir option; and node is the name of the node for which the certificate was generated.

    The private CA certificate and key files are saved to the directory:

    /path/configs/certificates/production/

  3. Copy the certificate generated for a node from the /path/configs/certificates/tmp-olcne/node/ directory to that node.

    To make sure the Platform Agent on each Kubernetes node, and the Platform API Server have access to certificates, make sure you copy them into the /etc/olcne/certificates/ directory on each node. The path to the certificates is used when setting up the Platform Agent and Platform API Server, and when creating an environment.

    The examples in this book use the /etc/olcne/configs/certificates/production/ directory as the location for certificates on nodes.

    A script is created to help you copy the certificates to the nodes, /path/configs/certificates/olcne-transfer-certs.sh. You can use this script and modify it to suit your needs, or transfer the certificates to the nodes using some other method.

    Important

    If you set up keyless SSH, change the USER variable in this script to the user you set up with keyless SSH.

    Run the script to copy the certificates to the nodes:

    $ bash -ex /path/configs/certificates/olcne-tranfer-certs.sh
  4. Make sure the olcne user on each node that runs the Platform API Server or Platform Agent is able to read the directory in which you copy the certificates. If you used the default path for certificates of /etc/olcne/certificates/, the olcne user has read access.

    If you used a different path, check the olcne user can read the certificate path. On the operator node, and each Kubernetes node, run:

    $ sudo -u olcne ls /path/configs/certificates/production
    ca.cert  node.cert  node.key

    You should see a list of the certificates and key for the node.