nixos-servers/docs/k3s.md
2024-03-19 22:56:52 +01:00

961 B

Kubernetes

Creating an admin certificate for k3s

Create the admin's private key:

openssl genpkey -algorithm ed25519 -out <username>-key.pem

Create a CSR for the admin:

openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"

Create a Kubernetes CSR object on the cluster:

k3s kubectl create -f - <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: <username>-csr
spec:
  request: $(cat <username>.csr | base64 | tr -d '\n')
  expirationSeconds: 307584000 # 10 years
  signerName: kubernetes.io/kube-apiserver-client
  usages:
    - digital signature
    - key encipherment
    - client auth
EOF

Approve and sign the admin's CSR:

k3s kubectl certificate approve <username>-csr

Extract the resulting signed certificate from the CSR object:

k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt