K
Q

How to create a Kubernetes client certificate signing request for Cockroachdb

8/23/2018

The environment I'm working with is a secure cluster running cockroach/gke.

I have an approved default.client.root certificate which allows me to access the DB using root, but I can't understand how to generate new certificate requests for additional users. I've read the cockroachDB docs over and over, and it is explained how to manually generate a user certificate in a standalone config where the ca.key location is accessible, but not specifically how to do it in the context of Kubernetes.

I believe that the image cockroachdb/cockroach-k8s-request-cert:0.3 is the start point but I cannot figure out the pattern for how to use it.

Any pointers would be much appreciated. Ultimately I'd like to be able to use this certificate from an API in the same Kubernetes cluster which uses the pg client. Currently, it's in insecure mode, using just username and password.

-- bruce
client-certificates
cockroachdb
kubernetes

Similar Questions

Play with kubernetes not exposing the node port to outside world
Adding storage leads to stuck deployment on openshift pod
Geting custom metrics from Kubernetes pods
CI/CD with gitlab (online) to kubernetes cluster (kismatic)

1 Answer

8/23/2018

The request-cert job is used as an init container for the pod. It will request a client or server certificate (the server certificates are requested by the CockroachDB nodes) using the K8S CSR API.

You can see an example of a client certificate being requested and then used by a job in client-secure.yaml. The init container is run before your normal container:

  initContainers:
  # The init-certs container sends a certificate signing request to the
  # kubernetes cluster.
  # You can see pending requests using: kubectl get csr
  # CSRs can be approved using:         kubectl certificate approve <csr name>
  #
  # In addition to the client certificate and key, the init-certs entrypoint will symlink
  # the cluster CA to the certs directory.
  - name: init-certs
    image: cockroachdb/cockroach-k8s-request-cert:0.3
    imagePullPolicy: IfNotPresent
    command:
    - "/bin/ash"
    - "-ecx"
    - "/request-cert -namespace=${POD_NAMESPACE} -certs-dir=/cockroach-certs -type=client -user=root -symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
    env:
    - name: POD_NAMESPACE
      valueFrom:
        fieldRef:
          fieldPath: metadata.namespace
    volumeMounts:
    - name: client-certs
      mountPath: /cockroach-certs

This sends a CSR using the K8S API, waits for approval, and places all resulting files (client certificate, key for client certificate, CA certificate) in /cockroach-certs. If the certificate already exists as a K8S secret, it just grabs it.

You can request a certificate for any user by just changing --user=root to the username you with to use.

-- Marc
Source: StackOverflow