Generating certificates

  • Operator

The etcd datastore has the concept of users that are linked to roles, where each role has a defined set of access permissions to the data stored in etcd. This tutorial walks you through the process of generating the Certificate Authority (CA), Certificates and Keys that can be used to authenticate a specific user with etcd. There are many different tools that can be used to generate these files. This tutorial tries to layout the unique or specific details that are needed for each of the different certificates but uses the , to make certificate generation easy.

The etcd server links a certificate to a specific user by using the Common Name (CN) attribute in the certificate. It is important to ensure that the CN in the certificate for each component that will be accessing etcd match the username in etcd that has the appropriate etcd roles for accessing its required keys or paths.

If you use hack/tls-setup too, ensure you have followed the README and are able to run successfully.

Generating certificates with hack/tls-setup:

  1. Edit the .
  2. Add the per-user/per-component configuration files
  3. Run make. (Re-running make will regenerate the CA and all certificates.)

Generating the certificates creates:

  • the CA
  • a certificate and key pair for 3 etcd servers
  • the certificate and key pairs for each user/component

Configuration for the Certificate Authority

The default CA configuration included with hack/tls-setup works well with no additional configuration. The file generated will need to be provided to all components (etcd, Kubernetes apiserver, and all calico components).

Configuration for the etcd certificates

If using etcd proxies, the cert/key pair generated by the tool (the files certs/proxy1.pem and certs/proxy1-key.pem) can be used with all proxies or you could create individual cert/key pairs for each proxy too.

Configuration for per-user/per-component’s etcd certificates

The certificates for Calico, Kubernetes, or any other component can be generated with configuration files similar to the one provided below. Replace the <etcd_username> placeholder with the username of the etcd user that has roles allowing access to the paths/prefix keys required by the associated component.

The additional configuration files you create should be added to the directory located in your hack/tls-setup folder. To build certificates for each new configuration add lines similar to those below to the req: target in the Makefile. For each configuration added, make sure the configuration file name and cert/key file prefix are updated appropriately by substituting an appropriate name for <component>.

  1. $(CFSSL) gencert \
  2. -ca certs/ca.pem \
  3. -ca-key certs/ca-key.pem \
  4. -config config/ca-config.json \