PKI

PKI (Public Key Infrastructure) resource is responsible for generating all X.509 certificates and RSA key pairs which are required by Kubernetes cluster. Kubernetes requires several certificates to be generated, with specific CNs, different CAs etc, which is difficult to manage, so Flexkube provides configurable and convenient interface to manage them.

All certificates are generated by following Kubernetes PKI certificates and requirements best practices.

Current implementation of PKI is experimental and only supports generating the certificates. Renewing the certificates or changing certificate properties is currently not implemented.

Example configuration:

CLI

To generate the certificates using flexkube CLI, create the following config.yaml file:

pki:
  certificate:
    organization: "example"
  etcd:
    peers:
      controller01: "192.168.1.10"
    clientCNs:
    - "root"
    - "kube-apiserver"
    - "prometheus"
  kubernetes:
    kubeAPIServer:
      externalNames: "kube-apiserver.example.com"
      serverIPs:
      - "192.168.1.10"

Then, run the following command:

flexkube pki

If the configuration is correct, PKI will be created in state.yaml file.

To generate Kubernetes PKI using Go, for example create file main.go with following content:

package main

import (
  "fmt"

  "github.com/flexkube/libflexkube/pkg/pki"
)

func main() {
  p := &pki.PKI{
    Certificate: pki.Certificate{
      Organization: "example",
    },
    Etcd: &pki.Etcd{
      Peers: map[string]string{
        "controller01": "192.168.1.10",
      },
      ClientCNs: []string{
        "root",
        "kube-apiserver",
        "prometheus",
      },
    },
    Kubernetes: &pki.Kubernetes{
      KubeAPIServer: &pki.KubeAPIServer{
        ExternalNames: []string{"kube-apiserver.example.com"},
        ServerIPs:     []string{"192.168.1.10"},
      },
    },
  }
  p.Generate()
  fmt.Printf("%+v", p)
}

Then run the following command:

go run main.go

If everything went successfully, you should get all generated certificates with their properties printed. Please not, that it is up to the user to persist generated certificates when using Go interface.

Terraform

To create Kubernetes PKI using Terraform, create main.tf file with the following content:

resource "flexkube_pki" "pki" {
  certificate {
    organization = "example"
  }

  etcd {
    peers = {
      "controller01" = "192.168.1.10"
    }

    client_cns = [
      "root",
      "kube-apiserver",
      "prometheus",
    ]
  }

  kubernetes {
    kube_api_server {
      external_names = ["kube-apiserver.example.com"]
      server_ips     = ["192.168.1.10"]
    }
  }
}

output "kubernetes_ca" {
  value = flexkube_pki.pki.kubernetes[0].ca[0].x509_certificate
}

Then, run following commands:

terraform init && terraform apply

If everything went successfully, you should see Kubernetes CA certificate in PEM format printed as Terraform output.

To see all available parameters, see flexkube_pki page in Terraform Registry documentation.