Skip to content

02_create_ca_and_cert.md

Latest commit

 

History

History
96 lines (79 loc) · 2.98 KB

02_create_ca_and_cert.md

File metadata and controls

96 lines (79 loc) · 2.98 KB
  1. Generate CA private key
openssl genrsa -out ca.key 4096
  1. Generate CA certificate (10 years, for example)
openssl req -x509 -new -nodes \
  -key ca.key \
  -days 3650 \
  -out ca.crt \
  -subj "/CN=My Homelab CA" \
  -addext "basicConstraints=critical,CA:TRUE"
  1. Issue Gitlab certificate
# Generate CSR
openssl req -new -newkey rsa:4096 -nodes \
  -keyout gitlab.homelab.internal.key \
  -out gitlab.homelab.internal.csr \
  -subj "/CN=gitlab.homelab.internal" \
  -addext "subjectAltName = DNS:gitlab.homelab.internal"

# Generate certificate
openssl x509 -req -in gitlab.homelab.internal.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out gitlab.homelab.internal.crt \
  -days 3650 \
  -extfile <(printf "subjectAltName=DNS:gitlab.homelab.internal")

# set permissions
chmod 644 gitlab.homelab.internal.crt
chmod 600 gitlab.homelab.internal.key
  1. Issue Gitlab registry certificate
# Generate CSR
openssl req -new -newkey rsa:4096 -nodes \
  -keyout registry.gitlab.homelab.internal.key \
  -out registry.gitlab.homelab.internal.csr \
  -subj "/CN=registry.gitlab.homelab.internal" \
  -addext "subjectAltName = DNS:registry.gitlab.homelab.internal"

# Generate certificate
openssl x509 -req -in registry.gitlab.homelab.internal.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out registry.gitlab.homelab.internal.crt \
  -days 3650 \
  -extfile <(printf "subjectAltName=DNS:registry.gitlab.homelab.internal")

# set permissions
chmod 644 registry.gitlab.homelab.internal.crt
chmod 600 registry.gitlab.homelab.internal.key
  1. Create Kubernetes secrets
export KUBECONFIG=~/.kube/vmkube
kubectl config use-context admin@vmkube-1
kubectl create ns cert-manager
kubectl -n cert-manager create secret tls root-secret --cert=ca.crt --key=ca.key
kubectl create ns kargo
kubectl -n kargo create secret generic root-secret-cacert --from-file=ca.crt
kubectl create ns external-secrets
kubectl -n external-secrets create secret generic root-secret-cacert --from-file=ca.crt
kubectl create ns victoria-metrics-k8s-stack
kubectl -n victoria-metrics-k8s-stack create secret generic root-secret-cacert --from-file=cacert=ca.crt
kubectl config use-context admin@vmkube-2
kubectl create ns cert-manager
kubectl -n cert-manager create secret tls root-secret --cert=ca.crt --key=ca.key
kubectl create ns external-secrets
kubectl -n external-secrets create secret generic root-secret-cacert --from-file=ca.crt
kubectl create ns victoria-metrics-k8s-stack
kubectl -n victoria-metrics-k8s-stack create secret generic root-secret-cacert --from-file=cacert=ca.crt
kubectl create ns gitlab-runner
kubectl -n gitlab-runner create secret generic root-secret-cacert --from-file=ca.crt --from-file=gitlab.homelab.internal.crt=ca.crt
kubectl -n gitlab-runner create secret generic registry-secret-cacert --from-file=ca.crt
  1. Import ca.crt to local system:
sudo cp ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

And import to browser.

Step completed!