Day 21/40 - Manage TLS Certificates In a Kubernetes Cluster - Create Certificate Signing Request

hello everyone welcome back to my channel my name is p and this is video number 21 in the series CK 2024 and in the previous video we have seen the basics of SSL TLS and how actually it works how do we secure our connections from client to servers and so on we have looked that in detail and in this video we'll be looking into DLS specifically for kubernetes like how does it work in kubernetes and how do we actually create the certificates how do we create certificate signing request and the overall process of it which will be very helpful uh while working with kubernetes so the comments and like targets for this video will be 220 comments and 220 likes in the next 24 hours I'm sure you can do that um so yeah thank you so much uh for your support so far let's start with this video so in the previous video we have seen like we create certificates for server and then uh certificate Authority also creates certificates to sign the request so let's look at the recap of only that part I'm not going to cover everything so just that part so client creates their own certificates to authenticate with the server X because server sometimes asks the client identification like who are you actually can you identify yourself so in that case you know when the server ask for that authorization so client reply with the certificate and the details to show that yes who I am saying I am okay and in the same case server also generates their own certificates and the private key these certificates will be helpful in ensuring that there is a secure communication between client and server and with the help of this actually the communication will then be made right so like this so this is like the get request and response uh it is handled with the help of certificate now we have a certificate Authority in between so this certificate Authority is responsible for issuing the certificate so server actually uh request the certificate to the certificate signing Authority and this could be like any certificate Authority such as cement Tech diger or anything else so we can use one or more than one certificate signing authorities so over here server requests the certificate uh to be signed by a certificate signing Authority and in reply certificate signing Authority does the validation of the server it checks the authenticity of the server and checks if uh the server owns the domain or not and based on that it actually issues the certificate okay and the request will be made by issuing a CSR a certificate signing request from server to the certificate Authority now how does certificate Authority actually issues the certificate and sign the certificate it does that with the help of its own pair of public certificate and private key right so certificate signing Authority has its own pair of certificate and private key right so using that it will sign the certificate and issue the certificate and this public certificate is also installed in the client's browser so that it will do the validation that certificate is valid or not and it is is actually not expired it is issued by a valid Authority and so on so it does all the validation for you so this is the overall process so we see we have three types of certificates first is client certificates which is generated by the client so these are called client certificates then we have the certificates that is generated by certificate Authority so we call it root certificates and and then we have the certificates at the server so which server generates to encrypt or decrypt the data for the secure communication and this is called server certificates right so we have these three kind of certificates client root and server certificates now uh let's look at one of the sample kubernetes cluster so we have a master node we have multiple worker nodes so when client initiates a request uh with the cube API server so this request will go to let's say over here here will be your Cube API server right and this request because this is a client over here and this Cube API is nothing but a server for this right so this connection also has to be secured right this has to be encrypted so we need certificates over here at the client side and at the server side right so we need client certificate over here we need server certificates over here both the public and private key pair now the same way when your Cube API server or let's say any component of Master node interacts with the worker node over here let me change the color and over here over here so this communication between Master node and the worker nodes this also has to be encrypted and secure right going I paste it over here here and over here right so this also has to be encrypted now this communication let's say is mostly done by API server so over here in this case your API server will become the client right earlier it was server it was server for the outside user or the admin or any other user but over here this server becomes the the client right and these worker nodes so let's say there is a component uh to which this API server is interacting with let's say it is interacting with cuade okay in all the notes or any one of the notes so this cuet will become server over here right so let me Rec AP what I have just said so far so we have a client let's say you have an admin a kubernetes admin or a devops engineer who is trying to interact with Cube API server through Cube CTL get PS Command right so for that communication your user will be the client and Cube API server will be the server so we need Certificate on both the ends we need public and private certificate over here and over the server and so here are client and server certificates and who will is those certificates a certificate Authority will issue those certificate with the help of a public and private key okay now the further communication let's say Cube API server has to send some instructions to cuet so in that communication your Cube API server will become the client and your cuet will become the server so again we need certificates for cube API server client and cuet server right we already had the certificate for cube API server so we can use the same certificate ific for uh this interaction as well or we can generate a separate certificate for this one the same way let's uh look into that in more detail so over here is our user which is our client and I've told you that we have generated a certificate a public certificate and a private key for the user now this user will set up a connection with API server and I need the lock where is the lock okay over here so this communication has to be secure so that is why I'm adding uh this over here now a user generated this certificate which is signed by certificate signing Authority and at the same time because Cube API server is the server so a certificate will be generated for that now Cube API server will interact with other servers such as atcd and Cube CTL so in this community communication Cube API server will become client and at CD will become server right so we need certificates for S CD as well and we can use the same certificate for cube API server as the client or we can generate a new one now Cube API server will interact with cuet as well and in that case also Cube API server will become the client and cuet will become the server so we need the certificate for Server as well over here right and now Cube API will interact with other components over here and these are nothing but the clients so Cube Schuler actually sends a request to cube API server now these all request has to be secure again so I'm just going to add this over here right it has to be secure so cube schedular is the client so client needs a certificate public and private key public certificate and private key and Cube API server will also have the same certificates right like the certificate generated for cube API server now controller manager is also a client which interacts with Cube API server so this also has to be secure and we have to have the public certificate and private key for controller manager and in the same case we should have it for the cube proxy which interacts with Cube API server over here now let's go back we see over here there has to be certificate generated for every client for every server and root certificates right and when we interact between multiple components like Master node interacts with worker nodes the connection has to be secure and encrypted that is why we need certificate at both the ends and at the client end now over here we see it in a little more detail like when a user is interacting with any component user is nothing but a client let's say the user is interacting through Cube CTL utility so let's say the user is interacting via Cube CTL utility so Cube CTL is the client and we need to generate certificate for user which is a user certificate then we need to generate um the certificate for the server which is a server certificate and we have multiple client certificates we have multiple server certificates and yes there'll be root certificates for certificate Authority so this is where we need all the certificate now because after this will be creating certificates so I just wanted to explain the concept behind it and the name of the certificates could be a little confusing as we have different type of certificate plus there'll be a public certificate and a private key so let's see how do we differentiate between those two so we have let's say two things first is a certificate another is a private key so anything that has CRT or Pam extension is a public certificate right and anything that has key in the name or in the extension so either it is server. key in the extension or server hyphen key do any extension so in this case it will be a private key so the easiest way to remember is if you see the word key in the name or in the extension then that means that's a private key so you see we have key in either the name over here server hyphen key or in the extension do key so if that is the case this is a private certificate or a private key so you remember with the term key if key is there that means it's a private key else it's a public certificate so public certificate such as server doert server. Pam client doert client.

Pam and so on so I'm sure this would be a clear distinction law so if you see the key that means it's a private else it's a public certificate okay so now let's go ahead and see how we can raise the certificate signing request and how we can implement this TSL TLS within kubernetes all right so to create a certificate signing request to approve it and to look at all the steps we be following the kubernetes documentation so go over to the documentation kubernetes doio doogs and then search for certificates and go over to this link certificate and certificate signing request and scroll down to the section where it says create a certificate for the user this one how to issue a certificate for the user okay so now we'll be following this document so I'm going to keep it on a separate screen so that I can follow along over here uh in the vs code so here's my vs code I inside day 21 folder where I will be following all the steps so the first step is to like a new user has been joined your team as a admin so let's take an example let's say you are the admin of a kubernetes cluster and a new user has joined the team as another administrator to share your load so now you have to provide that user access to your cluster using the certificates so there will be different steps involved in that so first user will go and create the keys and certificate signing request for that let me just copy the commands and I'm going to keep all the commands over here let's create a file readme. md over here and this is the first command that I'm going to run so open SSL gen RSA out so I'm going to create key and a certificate signing request for the users so consider this is Step users are performing so the user that has joined your team that user is performing these steps so open SSL gen RSA out and then the key this is your private key because there is a key in the name so that means it's a private key and let's give it a name new admins okay so let's say the username is new admin or you can give it any name let's say Adam okay adam. key okay and then 2048 copy this command and run it over here okay now it should create a key adam.

key over here so let's see this this is a private key right the user have this key okay now close this and then using this key okay generate a new request a certificate signing request so open SSL request hyphen new hyphen key and my user my username was Adam adam. key out adam. CSR so there'll be a file created using the private key and it will be named as adam.

CSR subject and then over here as well you change the user okay so let's copy this and run this command now this would have created another file with the name adam. CSR and here is our certificate signing request so this is a request that we will be processing later on okay so now our request has been completed let's go back now this is done now what user will do that user Adam will give you access to these things and he will ask you to create the certificate signing request and approve it uh on the kubernetes site okay so as a kubernetes administrator who has all the permissions you will create a new file over here okay and I'm going to name it let's say CSR do yaml okay I'm going to paste the content over here of the CML and uh API version is certificate so there is an API provided by kubernetes certificates. k.

so that's the API that you can use to generate this request to create the request and you give it a name over here uh Adam and this is your request so this should be what you have receed from the user so user will not give you the private key user will give you the certificate signing request okay so here is the certificate signing request now you have to replace it so let me just delete this one okay and now inside the key there is a difference inside the certificate signing request adam. CSR the key is in plain text format but over here in this we have to write it as encoded at base 64 encoded so I'm going to copy this so let's sorry not this one CSR so so what I will do I will cat on this file cat adam.