Hello,
if possible i would like to use the FreeIPA ca for Kubernetes. but kubernetes has some requirements on the CN and O.
the CN has to match the pattern system:node:$FQDN and O has to match system:node
also see: https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/...
is this possible with the FreeIPA CA, or do i need to use another ca for Kubernetes?
Kind Regards,
Stephan
On ti, 11 joulu 2018, None via FreeIPA-users wrote:
Hello,
if possible i would like to use the FreeIPA ca for Kubernetes. but kubernetes has some requirements on the CN and O.
the CN has to match the pattern system:node:$FQDN and O has to match system:node
also see: https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/...
is this possible with the FreeIPA CA, or do i need to use another ca for Kubernetes?
Did you check https://github.com/zultron/freeipa-cloud-prov? This one does not employ Node Authorization mode so it doesn't have the same requirements.
https://github.com/zultron/freeipa-cloud-prov/blob/c33758e80ba09f076b10a341f... certainly doesn't follow the pattern you describe when requesting service certificates.
If you still want to use Node Authorization, you can certainly add a certificate profile that explicitly sets CN to system:node:$FQDN when a certificate request contains just $FQDN. Same for explicitly adding O=system:node.
See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Also check Fraser's blog: https://frasertweedale.github.io/blog-redhat/archive.html, there are few examples on how to create a specialized certificate profile.
my goal is not to run IPA within kubernetes, i just like to use the IPA CA to use issue the certicates needed to run Kubernetes.
but i will checkout Fraser's blog on how to use and create certificate profiles, thanks.
Am Di., 11. Dez. 2018 um 12:39 Uhr schrieb Alexander Bokovoy < abokovoy@redhat.com>:
On ti, 11 joulu 2018, None via FreeIPA-users wrote:
Hello,
if possible i would like to use the FreeIPA ca for Kubernetes. but
kubernetes has some requirements on the CN and O.
the CN has to match the pattern system:node:$FQDN and O has to match system:node
also see:
https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/...
is this possible with the FreeIPA CA, or do i need to use another ca for
Kubernetes? Did you check https://github.com/zultron/freeipa-cloud-prov? This one does not employ Node Authorization mode so it doesn't have the same requirements.
https://github.com/zultron/freeipa-cloud-prov/blob/c33758e80ba09f076b10a341f... certainly doesn't follow the pattern you describe when requesting service certificates.
If you still want to use Node Authorization, you can certainly add a certificate profile that explicitly sets CN to system:node:$FQDN when a certificate request contains just $FQDN. Same for explicitly adding O=system:node.
See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Also check Fraser's blog: https://frasertweedale.github.io/blog-redhat/archive.html, there are few examples on how to create a specialized certificate profile.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
stephan schultchen -
stephan.schultchen@gmail.com