Generate Certificates Manually task is inconsistent

[nnlkcncff]

https://kubernetes.io/docs/tasks/administer-cluster/certificates/

The page contains three ways to achieve the same result using three different utilities. But there are some differences in the end results that are disconcerting and make you wonder why it has to be this way? It doesn't seem to make sense. There are two areas of concern — subject names and key usages.

1) All CA certificates have different subject Common Name:

• easyrsa — ${MASTER_IP}@date
• openssl — ${MASTER_IP}
• cfssl — kubernetes

According to PKI certificates and requirements page CA CN defaults to kubernetes-ca. It might be worth changing the documentation to use one common value.

2) Some CA certificates have different X509v3 Key Usage:

• easyrsa and cfssl — Certificate Sign, CRL Sign
• openssl — n/a

To fix this, one can change the command in OpenSSL step 2 to the following:

openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt -addext 'keyUsage = cRLSign, keyCertSign'

3) Some kube-apiserver certificates have different X509v3 Key Usage and X509v3 Extended Key Usage:

• easyrsa:
  • Key Usage: Digital Signature, Key Encipherment
  • Extended Key Usage: TLS Web Server Authentication
• openssl:
  • Key Usage: Key Encipherment, Data Encipherment
  • Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication
• cfssl:
  • Key Usage: Digital Signature, Key Encipherment
  • Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication

To fix the easyrsa issue, one can change the string extendedKeyUsage = serverAuth in the file server in the "x509-types" directory to extendedKeyUsage = serverAuth,clientAuth:

sed  -e 's/\(extendedKeyUsage\).*/\1 = serverAuth,clientAuth/' $( easyrsa | grep x509-types | awk '{ print $2 }' )/server

To fix the openssl issue, one can change the string keyUsage=keyEncipherment,dataEncipherment in OpenSSL step 4 to keyUsage=digitalSignature,keyEncipherment.

4) Some kube-apiserver certificates have different subject Common Name and X509v3 Subject Alternative Name:

• easyrsa:
  • CN: server
  • SAN: IP Address:${MASTER_IP}, IP Address:${MASTER_CLUSTER_IP}, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local
• openssl:
  • CN: ${MASTER_IP}
  • SAN: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:${MASTER_IP}, IP Address:${MASTER_CLUSTER_IP}
• cfssl:
  • CN: kubernetes
  • SAN: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:${MASTER_IP}, IP Address:${MASTER_CLUSTER_IP}

According to the PKI certificates and requirements CN should be kube-apiserver.

As for SAN, consider using the same set of values (with or without localhost which can be in the form of an IP or hostname) and the order (DNS, loopback address, IP) for each method, for example:

DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, IP Address:`${MASTER_CLUSTER_IP}`, IP Address:`${MASTER_IP}`

Also there are different configuration or lack thereof for X509v3 Authority Key Identifier extension across all the certificates, but this is more of less OK.

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[dipesh-rawat]

Page related to issue: https://kubernetes.io/docs/tasks/administer-cluster/certificates/ /language en

[sftim]

/retitle Generate Certificates Manually task is inconsistent /kind bug

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[sftim]

/sig security /remove-lifecycle rotten

Let's triage this

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[vaibhav2107]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes/website/issues/42761#issuecomment-2458004424): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.