3.5 Setting up X.509 Certificates

Communication between the Kubernetes nodes is secured using X.509 certificates.

Before you deploy Kubernetes, you need to configure the X.509 certificates used to manage the communication between the nodes. There are a number of ways to manage and deploy the certificates. You can use:

  • Vault: The certificates are managed using the HashiCorp Vault secrets manager. Certificates are created during the deployment of the Kubernetes module. You need to create a token authentication method for Oracle Linux Cloud Native Environment.

  • CA Certificates: Use your own certificates, signed by a trusted Certificate Authority (CA), and copied to each Kubernetes node before the deployment of the Kubernetes module. These certificates are unmanaged and must be renewed and updated manually.

  • Private CA Certificates: Using generated certificates, signed by a private CA you set up, and copied to each Kubernetes node before the deployment of the Kubernetes module. These certificates are unmanaged and must be renewed and updated manually. A script is provided to help you set this up.

A software-based secrets manager is recommended to manage these certificates. The HashiCorp Vault secrets manager can be used to generate, assign and manage the certificates. Oracle recommends you implement your own instance of Vault, setting up the appropriate security for your environment.

For more information on installing and setting up Vault, see the HashiCorp documentation at:

https://learn.hashicorp.com/vault/operations/ops-deployment-guide

If you do not want to use Vault, you can use your own certificates, signed by a trusted CA, and copied to each node. A script is provided to generate a private CA which allows you to generate certificates for each node. This script also gives you the commands needed to copy the certificates to the nodes.

3.5.1 Setting up Vault Authentication

To configure Vault for use with Oracle Linux Cloud Native Environment, set up a Vault token with the following properties:

  • A PKI secret engine with a CA certificate or intermediate, located at olcne_pki_intermediary.

  • A role under that PKI, named olcne, configured to not require a common name, and allow any name.

  • A token authentication method and policy that attaches to the olcne role and can request certificates.

For information on setting up the Vault PKI secrets engine to generate dynamic X.509 certificates, see:

https://www.vaultproject.io/docs/secrets/pki/index.html

For information on creating Vault tokens, see:

https://www.vaultproject.io/docs/commands/token/create.html