kubernetes-mesos icon indicating copy to clipboard operation
kubernetes-mesos copied to clipboard
verified publisher icon mesosphere

deploy ssl certificates and service-account key in DCOS packages

Open sttts opened this issue 10 years ago • 11 comments

compare docker-compose setup

sttts avatar Jul 27 '15 17:07 sttts

xref #535, #555, #587

jdef avatar Nov 01 '15 19:11 jdef

This is a blocker for MVP issues linked above. Moving to MVP.

karlkfi avatar Nov 02 '15 21:11 karlkfi

we already run kube-dns without this on k8s/dcos.

On Mon, Nov 2, 2015 at 4:53 PM, Karl Isenberg [email protected] wrote:

This is a blocker for kube-dns, I believe, as well as other MVP issues linked above. Moving to MVP.

— Reply to this email directly or view it on GitHub https://github.com/mesosphere/kubernetes-mesos/issues/409#issuecomment-153168959 .

jdef avatar Nov 02 '15 22:11 jdef

some options:

  • parameterize certs in options.json (#729, https://github.com/mesosphere/multiverse/pull/62)
  • auto-generate certs using mesosphere/kubernetes-keygen container
    • possibly subclass this container for convenience w/ k8s/dcos integration
    • currently has hard-coded stuff, not prod ready

keygen container sub-commands do this:

  • root CA doesn't need an IP
  • apiserver cert needs root CA --> generates private key, public (signed) cert
  • service account private key (RSA)

IMPORTANT: dcos kubectl ... subcommand needs to work with new secure configuration

jdef avatar Jan 07 '16 16:01 jdef

TODO: clarify the work that actually needs doing here

jdef avatar Jan 20 '16 21:01 jdef

The subcommand works with TLS. What is missing is a way to tell it about a custom certificate.

sttts avatar Jan 20 '16 22:01 sttts

@sttts the subcommand should only need the root-ca cert, yes? that's easy to send down..

jdef avatar Jan 20 '16 22:01 jdef

In fact, the cert in the subcommand has nothing to do with the kubernetes certs. The apiserver is behind the admin router and that brings its own (snakeoil-) cert.

2016-01-20 23:18 GMT+01:00 James DeFelice [email protected]:

@sttts https://github.com/sttts the subcommand should only need the root-ca cert, yes? that's easy to send down..

— Reply to this email directly or view it on GitHub https://github.com/mesosphere/kubernetes-mesos/issues/409#issuecomment-173379872 .

sttts avatar Jan 20 '16 22:01 sttts

OK, so then we'd need the rootCA of the cert that the admin router is using then. I wonder if dcos-CLI gives us access to that?

On Wed, Jan 20, 2016 at 5:21 PM, Dr. Stefan Schimanski < [email protected]> wrote:

In fact, the cert in the subcommand has nothing to do with the kubernetes certs. The apiserver is behind the admin router and that brings its own (snakeoil-) cert.

2016-01-20 23:18 GMT+01:00 James DeFelice [email protected]:

@sttts https://github.com/sttts the subcommand should only need the root-ca cert, yes? that's easy to send down..

— Reply to this email directly or view it on GitHub < https://github.com/mesosphere/kubernetes-mesos/issues/409#issuecomment-173379872

.

— Reply to this email directly or view it on GitHub https://github.com/mesosphere/kubernetes-mesos/issues/409#issuecomment-173380703 .

jdef avatar Jan 21 '16 15:01 jdef

Look at my code to check certificates in the subcommand. It just reads the settings in the dcos.toml and applies them to kube/config.

Am Donnerstag, 21. Januar 2016 schrieb James DeFelice :

OK, so then we'd need the rootCA of the cert that the admin router is using then. I wonder if dcos-CLI gives us access to that?

On Wed, Jan 20, 2016 at 5:21 PM, Dr. Stefan Schimanski < [email protected] javascript:_e(%7B%7D,'cvml','[email protected]');> wrote:

In fact, the cert in the subcommand has nothing to do with the kubernetes certs. The apiserver is behind the admin router and that brings its own (snakeoil-) cert.

2016-01-20 23:18 GMT+01:00 James DeFelice <[email protected] javascript:_e(%7B%7D,'cvml','[email protected]');>:

@sttts https://github.com/sttts the subcommand should only need the root-ca cert, yes? that's easy to send down..

— Reply to this email directly or view it on GitHub <

https://github.com/mesosphere/kubernetes-mesos/issues/409#issuecomment-173379872

.

— Reply to this email directly or view it on GitHub < https://github.com/mesosphere/kubernetes-mesos/issues/409#issuecomment-173380703

.

— Reply to this email directly or view it on GitHub https://github.com/mesosphere/kubernetes-mesos/issues/409#issuecomment-173610002 .

sttts avatar Jan 21 '16 15:01 sttts

got it - thanks!

On Thu, Jan 21, 2016 at 10:45 AM, Dr. Stefan Schimanski < [email protected]> wrote:

Look at my code to check certificates in the subcommand. It just reads the settings in the dcos.toml and applies them to kube/config.

Am Donnerstag, 21. Januar 2016 schrieb James DeFelice :

OK, so then we'd need the rootCA of the cert that the admin router is using then. I wonder if dcos-CLI gives us access to that?

On Wed, Jan 20, 2016 at 5:21 PM, Dr. Stefan Schimanski < [email protected] javascript:_e(%7B%7D,'cvml','[email protected]');> wrote:

In fact, the cert in the subcommand has nothing to do with the kubernetes certs. The apiserver is behind the admin router and that brings its own (snakeoil-) cert.

2016-01-20 23:18 GMT+01:00 James DeFelice <[email protected] javascript:_e(%7B%7D,'cvml','[email protected]');>:

@sttts https://github.com/sttts the subcommand should only need the root-ca cert, yes? that's easy to send down..

— Reply to this email directly or view it on GitHub <

https://github.com/mesosphere/kubernetes-mesos/issues/409#issuecomment-173379872

.

— Reply to this email directly or view it on GitHub <

https://github.com/mesosphere/kubernetes-mesos/issues/409#issuecomment-173380703

.

— Reply to this email directly or view it on GitHub < https://github.com/mesosphere/kubernetes-mesos/issues/409#issuecomment-173610002

.

— Reply to this email directly or view it on GitHub https://github.com/mesosphere/kubernetes-mesos/issues/409#issuecomment-173611766 .

jdef avatar Jan 21 '16 16:01 jdef