how to get a client key and client root cert for connecting to CockroachDB from Java client

3/27/2019

I have deployed a CockroachDB single instance cluster in my Kubernetes cluster on DO following this link https://www.cockroachlabs.com/docs/stable/orchestrate-a-local-cluster-with-kubernetes.html.

I followed this link to generate a server.crt file from https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster using the command:

kubectl get csr my-svc.my-namespace -o jsonpath='{.status.certificate}' \
| base64 --decode > server.crt

Not sure that gets me a client cert.
The following is my output for the command:

kubectl get csr

NAME                  AGE       REQUESTOR                                              CONDITION
default.client.root   44m       system:serviceaccount:default:my-release-cockroachdb   Approved,Issued

I need to connect to CockroachDB using my Java client. How do I generate a client cert and key so I can access CockroachDB from Java?

Thanks

-- Sonam
cockroachdb
csr
kubernetes

1 Answer

3/27/2019

There are multiple concerns here:

  • the certificate you are requesting from the k8s PKI will not have any of the fields required
  • the key format will not work for java clients

Let's address them one at a time:

Requesting a client certificate from the kubernetes PKI

A client certificate for user with CockroachDB must the subject's Common Name set to the username. eg: CN=root. This must also be properly configured to allow Client Authentication in the key usage.

In the kubernetes docs, we include an example to bring up a client within the same kubernetes cluster. The config for secure clients includes an init container that requests a client certificate and makes it available to the main job.

If your client is running in Kubernetes, I recommend adapting that config for your own client.

Key format for java clients

Java clients expect keys in PKCS#8 format, whereas the certificates output by both your command and the request-cert tool both output PEM encoded keys.

You can convert the key using openssl:

openssl pkcs8 -topk8 -inform PEM -outform DER -in client.myuser.key -out client.myuser.pk8

You can find more details on the CockroachDB Build a Java app page.

-- Marc
Source: StackOverflow