Search code examples
kubernetescoreoslets-encryptcertbot

using letsencrypt cetificate for kubelet api server


I want to use certificates by a signed authority for my kubernetes cluster.

so I first try to install and properly configure the controller.

the controller will be installed on a CoreOS stable (1185.3.0).

kubeelet api-server needs the following certificates as far as I understand:

certificate-authority: ca.pem
client-certificate: apiserver.pem
client-key: apiserver-ke.pem

letsencrypt using certbot container created the following certificate:

cert = /etc/letsencrypt/live/coreos-2.tux-in.com/cert.pem
privkey = /etc/letsencrypt/live/coreos-2.tux-in.com/privkey.pem
chain = /etc/letsencrypt/live/coreos-2.tux-in.com/chain.pem
fullchain = /etc/letsencrypt/live/coreos-2.tux-in.com/fullchain.pem

so the cert.pem is the client-certificate, privkey.pem is the client-key, I don't have the certificate-authority, and I have chain certificates that I don't know what to do with.

I created the certificates using rkt with certbot docker image using the following command:

rkt --insecure-options=image --port 443-tcp:443 run  docker://deliverous/certbot \
  --volume letsencrypt-etc,kind=host,source=/opt/letsencrypt-etc \
  --mount volume=letsencrypt-etc,target=/etc/letsencrypt \
  --volume resolv-conf,kind=host,source=/etc/resolv.conf \
  --mount volume=resolv-conf,target=/etc/resolv.conf \
  --volume certbot-tls-certs,kind=host,source=/opt/certbot-tls-certs \
  --mount volume=certbot-tls-certs,target=/var/www/tls-certs \
  -- certonly -w /var/www/tls-certs -d coreos-2.tux-in.com \
  --email [email protected] --agree-tos --standalone --preferred-challenges tls-sni-01

so.. no idea how to go on from here.

any information regarding the issue would be greatly appreciated.

thanks


Solution

  • what @MrE said is correct.

    each client in the kubernetes cluster needs to register it's name and ip, i need to use alt-names... all of that isn't supported in letsencrypt.

    letsencrypt is a simple certificate generation basically for web servers, letsencrypt doesn't even support or plan to support wildcards. so anyhow.. letsencrypt is not the right solution for my case.