Certificate signer on CDK

My goal is to write a MutatingAdmissionWebhook and I need to create a TLS certificate signed by the Kubernetes CA. By default the CDK does not seem to have a certificate signer setup and I’m wondering how I best go about this. It seems that I need 2 extra config parameters which I can set with controller-manager-extra-args namely --cluster-signing-cert-file and --cluster-signing-key-file. But I’m not sure what values these should get. Can anyone point me in the right direction to set this up?

1 Like

I got it working by copying the ca.key from the easyrsa lxd container to the kubernetes-master unit and saving it in /root/cdk.

After this I ran the juju config command:
juju config kubernetes-master "controller-manager-extra-args=cluster-signing-cert-file=/root/cdk/ca.crt cluster-signing-key-file=/root/cdk/ca.key"

1 Like

HEY! @sborny, where did you get the ca.key from the easy-rsa machine?! I Can’t seem to find it… Thanks!

You can find it at /var/lib/juju/agents/unit-easyrsa-0/charm/EasyRSA/pki/private, mind the unit name/number.