kind-vase-40458
12/20/2022, 7:30 PMdynamic-cert.json
(but couldn't find it in the code) Wondering why is this departure from standard K8s? I don't seem to find docs regarding this on K8s.creamy-pencil-82913
12/20/2022, 7:59 PMkind-vase-40458
12/20/2022, 8:07 PM--tls-cert-file
--tls-private-key-file
and then kubeconfig will have CA to verify the cert of the server
certificate-authority
following this guide "The API server’s TLS certificate (and certificate authority)"
Here, there's no dynamic certs, so server doesn't need to take CA. Client has CA for verificationcreamy-pencil-82913
12/20/2022, 8:17 PMkind-vase-40458
12/20/2022, 8:19 PMcreamy-pencil-82913
12/20/2022, 8:21 PMkind-vase-40458
12/20/2022, 8:25 PMusing tools like cert-manager to provision certificates from an external trusted CA.with this solution, the current functionality of cluster generating dynamic certs will require that you have access to private key of this CA? Is that reasonable generally? Maybe it's our internal constraints here that the security will not give use the private key for the root CA
creamy-pencil-82913
12/20/2022, 8:25 PMkind-vase-40458
12/20/2022, 8:28 PMcreamy-pencil-82913
12/20/2022, 8:28 PMEven though the custom CA certificate may be included in the filesystem (in the ConfigMap), you should not use that certificate authority for any purpose other than to verify internal Kubernetes endpoints. An example of an internal Kubernetes endpoint is the Service namedkube-root-ca.crt
in the default namespace.kubernetes
If you want to use a custom certificate authority for your workloads, you should generate that CA separately, and distribute its CA certificate using a ConfigMap that your pods have access to read.
hallowed-ocean-20951
12/20/2022, 9:38 PMkind-vase-40458
12/20/2022, 10:37 PMhallowed-ocean-20951
12/20/2022, 10:40 PMkind-vase-40458
12/21/2022, 5:06 AMcreamy-pencil-82913
12/21/2022, 7:07 AMkind-vase-40458
12/21/2022, 7:08 AMcreamy-pencil-82913
12/21/2022, 7:09 AMkind-vase-40458
12/21/2022, 7:10 AMcreamy-pencil-82913
12/21/2022, 7:11 AMbrandond@dev01:~$ cat ~/.kube/k3s-server-1.yaml
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlRENDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUyTnpFMU1ESXpNREF3SGhjTk1qSXhNakl3TURJeE1UUXdXaGNOTXpJeE1qRTNNREl4TVRRdwpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUyTnpFMU1ESXpNREF3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUL3poaVVDWFZtc1BHd0JSZ0R2dmI4cllqTXNZQlVOTktlUXlVMEFFWXgKK2s4UENyWVQ5aTlRK1pHL1g0SHF5ekRpWjYxUTFQYmdaOGFuZC9VM2F2MzRvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVXhocXhwakwvakhUTnJQUWZpSmpVCmZYZWpScG93Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQU93WXNSVzNTTGhBdjZmVlRZN2V1bEp6ZWVsaklSQnYKd1cyTjJQQVBHTXRyQWlFQWg4SU5KNlMzZElTUVRlb1BXZzJpVXdObnl3MVBzT2c1Z1dxVHkvaDJpR0k9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: <https://172.17.0.4:6443>
name: default
kind-vase-40458
12/21/2022, 7:13 AMimport (
v1 "<http://k8s.io/client-go/kubernetes/typed/core/v1|k8s.io/client-go/kubernetes/typed/core/v1>"
)
func NewCoreV1ClientForConfig(c *rest.Config, shc SecretHandleConfig) (*v1.CoreV1Client, error) {
if shc.BearerToken != nil {
shc.BearerToken.UnsafeAccessRawSecret(func(raw *unsaferawsecret.RawSecret) {
c.BearerToken = string(raw.Value)
})
}
if shc.CAData != nil {
shc.CAData.UnsafeAccessRawSecret(func(raw *unsaferawsecret.RawSecret) {
c.CAData = raw.Value
})
}
return v1.NewForConfig(c)
creamy-pencil-82913
12/21/2022, 7:13 AMkind-vase-40458
12/21/2022, 7:13 AMcreamy-pencil-82913
12/21/2022, 7:14 AMkind-vase-40458
12/21/2022, 7:15 AMcreamy-pencil-82913
12/21/2022, 7:15 AMkind-vase-40458
12/21/2022, 7:16 AMcreamy-pencil-82913
12/21/2022, 7:17 AMkind-vase-40458
12/21/2022, 7:18 AMcreamy-pencil-82913
12/21/2022, 7:18 AMkind-vase-40458
12/21/2022, 7:20 AMcreamy-pencil-82913
12/21/2022, 7:20 AMkind-vase-40458
12/21/2022, 7:22 AMIt contains all of the configuration necessary for a Kubernetes client to connect to the apiserver.thanks for explaining.. seems like when we manually build client like what i shared above, i could alternatively use kubeconfig instead
creamy-pencil-82913
12/21/2022, 7:22 AMkind-vase-40458
12/21/2022, 7:23 AMcreamy-pencil-82913
12/21/2022, 7:24 AMclient, err := clientcmd.BuildConfigFromFlags("", cfg.Kubeconfig)
where cfg.Kubeconfig
is the path to a file.kind-vase-40458
12/21/2022, 7:25 AMcreamy-pencil-82913
12/21/2022, 7:26 AMkind-vase-40458
12/21/2022, 7:26 AMcreamy-pencil-82913
12/21/2022, 7:27 AMkind-vase-40458
12/21/2022, 7:29 AMcreamy-pencil-82913
12/21/2022, 7:31 AMkind-vase-40458
12/21/2022, 7:31 AMcreamy-pencil-82913
12/21/2022, 7:32 AMkind-vase-40458
12/21/2022, 7:35 AMcreamy-pencil-82913
12/21/2022, 7:36 AMkind-vase-40458
12/21/2022, 7:37 AMtls
folder, what prevents new CA to be generated?creamy-pencil-82913
12/21/2022, 7:38 AMkind-vase-40458
12/21/2022, 7:40 AMcreamy-pencil-82913
12/21/2022, 8:02 AMkind-vase-40458
12/21/2022, 8:05 AMcreamy-pencil-82913
12/21/2022, 8:09 AMkind-vase-40458
12/21/2022, 8:09 AMcreamy-pencil-82913
12/21/2022, 8:10 AMkind-vase-40458
12/21/2022, 8:10 AMcreamy-pencil-82913
12/21/2022, 8:11 AMkind-vase-40458
12/21/2022, 8:11 AMcreamy-pencil-82913
12/21/2022, 8:12 AMkind-vase-40458
12/21/2022, 8:12 AMcreamy-pencil-82913
12/21/2022, 8:12 AMkind-vase-40458
12/21/2022, 8:12 AMcreamy-pencil-82913
12/21/2022, 8:13 AMkind-vase-40458
12/21/2022, 8:14 AMcreamy-pencil-82913
12/21/2022, 8:14 AMkind-vase-40458
12/21/2022, 8:15 AMcreamy-pencil-82913
12/21/2022, 8:16 AM