k8s-ci-robot
commented
1 year ago This issue is currently awaiting triage.
SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
dipesh-rawat
sftim
k8s-triage-robot
vaibhav2107
The page contains three ways to achieve the same result using three different utilities. But there are some differences in the end results that are disconcerting and make you wonder why it has to be this way? It doesn't seem to make sense. There are two areas of concern — subject names and key usages.
1) All CA certificates have different subject Common Name:
${MASTER_IP}@date${MASTER_IP}kubernetesAccording to PKI certificates and requirements page CA CN defaults to
kubernetes-ca. It might be worth changing the documentation to use one common value.2) Some CA certificates have different X509v3 Key Usage:
To fix this, one can change the command in OpenSSL step 2 to the following:
3) Some kube-apiserver certificates have different X509v3 Key Usage and X509v3 Extended Key Usage:
To fix the easyrsa issue, one can change the string
extendedKeyUsage = serverAuthin the fileserverin the "x509-types" directory toextendedKeyUsage = serverAuth,clientAuth:To fix the openssl issue, one can change the string
keyUsage=keyEncipherment,dataEnciphermentin OpenSSL step 4 tokeyUsage=digitalSignature,keyEncipherment.4) Some kube-apiserver certificates have different subject Common Name and X509v3 Subject Alternative Name:
${MASTER_IP}, IP Address:${MASTER_CLUSTER_IP}, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local${MASTER_IP}${MASTER_IP}, IP Address:${MASTER_CLUSTER_IP}${MASTER_IP}, IP Address:${MASTER_CLUSTER_IP}According to the PKI certificates and requirements CN should be
kube-apiserver.As for SAN, consider using the same set of values (with or without localhost which can be in the form of an IP or hostname) and the order (DNS, loopback address, IP) for each method, for example:
Also there are different configuration or lack thereof for X509v3 Authority Key Identifier extension across all the certificates, but this is more of less OK.