I have deployed a CockroachDB single instance cluster in my Kubernetes cluster on DO following this link https://www.cockroachlabs.com/docs/stable/orchestrate-a-local-cluster-with-kubernetes.html.
I followed this link to generate a server.crt file from https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster using the command:
kubectl get csr my-svc.my-namespace -o jsonpath='{.status.certificate}' \
| base64 --decode > server.crt
Not sure that gets me a client cert.
The following is my output for the command:
kubectl get csr
NAME AGE REQUESTOR CONDITION
default.client.root 44m system:serviceaccount:default:my-release-cockroachdb Approved,Issued
I need to connect to CockroachDB using my Java client. How do I generate a client cert and key so I can access CockroachDB from Java?
Thanks
There are multiple concerns here:
Let's address them one at a time:
Requesting a client certificate from the kubernetes PKI
A client certificate for user with CockroachDB must the subject's Common Name set to the username. eg: CN=root
. This must also be properly configured to allow Client Authentication
in the key usage.
In the kubernetes docs, we include an example to bring up a client within the same kubernetes cluster. The config for secure clients includes an init container that requests a client certificate and makes it available to the main job.
If your client is running in Kubernetes, I recommend adapting that config for your own client.
Key format for java clients
Java clients expect keys in PKCS#8 format, whereas the certificates output by both your command and the request-cert
tool both output PEM encoded keys.
You can convert the key using openssl:
openssl pkcs8 -topk8 -inform PEM -outform DER -in client.myuser.key -out client.myuser.pk8
You can find more details on the CockroachDB Build a Java app page.