machine_setup/nix/kubernetes/keys/package/k8s-ca/files/client-ca.conf

[req]
distinguished_name = req_distinguished_name
prompt             = no
x509_extensions    = ca_x509_extensions

[ca_x509_extensions]
basicConstraints = CA:TRUE
keyUsage         = cRLSign, keyCertSign

[req_distinguished_name]
C   = US
ST  = Washington
L   = Seattle
CN  = CA

[admin]
distinguished_name = admin_distinguished_name
prompt             = no
req_extensions     = default_req_extensions

[admin_distinguished_name]
CN = admin
O  = system:masters

# Service Accounts
#
# The Kubernetes Controller Manager leverages a key pair to generate
# and sign service account tokens as described in the
# [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/)
# documentation.

[service-accounts]
distinguished_name = service-accounts_distinguished_name
prompt             = no
req_extensions     = default_req_extensions

[service-accounts_distinguished_name]
CN = service-accounts

# Worker Nodes
#
# Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/)
# called Node Authorizer, that specifically authorizes API requests made
# by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet).
# In order to be authorized by the Node Authorizer, Kubelets must use a credential
# that identifies them as being in the `system:nodes` group, with a username
# of `system:node:<nodeName>`.

[controller0]
distinguished_name = controller0_distinguished_name
prompt             = no
req_extensions     = controller0_req_extensions

[controller0_req_extensions]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth, serverAuth
keyUsage             = critical, digitalSignature, keyEncipherment
nsCertType           = client
nsComment            = "controller0 Certificate"
subjectAltName       = DNS:controller0, IP:127.0.0.1
subjectKeyIdentifier = hash

[controller0_distinguished_name]
CN = system:node:controller0
O  = system:nodes
C  = US
ST = Washington
L  = Seattle

[controller1]
distinguished_name = controller1_distinguished_name
prompt             = no
req_extensions     = controller1_req_extensions

[controller1_req_extensions]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth, serverAuth
keyUsage             = critical, digitalSignature, keyEncipherment
nsCertType           = client
nsComment            = "controller1 Certificate"
subjectAltName       = DNS:controller1, IP:127.0.0.1
subjectKeyIdentifier = hash

[controller1_distinguished_name]
CN = system:node:controller1
O  = system:nodes
C  = US
ST = Washington
L  = Seattle

[controller2]
distinguished_name = controller2_distinguished_name
prompt             = no
req_extensions     = controller2_req_extensions

[controller2_req_extensions]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth, serverAuth
keyUsage             = critical, digitalSignature, keyEncipherment
nsCertType           = client
nsComment            = "controller2 Certificate"
subjectAltName       = DNS:controller2, IP:127.0.0.1
subjectKeyIdentifier = hash

[controller2_distinguished_name]
CN = system:node:controller2
O  = system:nodes
C  = US
ST = Washington
L  = Seattle

[worker0]
distinguished_name = worker0_distinguished_name
prompt             = no
req_extensions     = worker0_req_extensions

[worker0_req_extensions]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth, serverAuth
keyUsage             = critical, digitalSignature, keyEncipherment
nsCertType           = client
nsComment            = "worker0 Certificate"
subjectAltName       = DNS:worker0, IP:127.0.0.1
subjectKeyIdentifier = hash

[worker0_distinguished_name]
CN = system:node:worker0
O  = system:nodes
C  = US
ST = Washington
L  = Seattle

[worker1]
distinguished_name = worker1_distinguished_name
prompt             = no
req_extensions     = worker1_req_extensions

[worker1_req_extensions]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth, serverAuth
keyUsage             = critical, digitalSignature, keyEncipherment
nsCertType           = client
nsComment            = "worker1 Certificate"
subjectAltName       = DNS:worker1, IP:127.0.0.1
subjectKeyIdentifier = hash

[worker1_distinguished_name]
CN = system:node:worker1
O  = system:nodes
C  = US
ST = Washington
L  = Seattle

[worker2]
distinguished_name = worker2_distinguished_name
prompt             = no
req_extensions     = worker2_req_extensions

[worker2_req_extensions]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth, serverAuth
keyUsage             = critical, digitalSignature, keyEncipherment
nsCertType           = client
nsComment            = "worker2 Certificate"
subjectAltName       = DNS:worker2, IP:127.0.0.1
subjectKeyIdentifier = hash

[worker2_distinguished_name]
CN = system:node:worker2
O  = system:nodes
C  = US
ST = Washington
L  = Seattle


# Kube Proxy Section
[kube-proxy]
distinguished_name = kube-proxy_distinguished_name
prompt             = no
req_extensions     = kube-proxy_req_extensions

[kube-proxy_req_extensions]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth, serverAuth
keyUsage             = critical, digitalSignature, keyEncipherment
nsCertType           = client
nsComment            = "Kube Proxy Certificate"
subjectAltName       = DNS:kube-proxy, IP:127.0.0.1
subjectKeyIdentifier = hash

[kube-proxy_distinguished_name]
CN = system:kube-proxy
O  = system:node-proxier
C  = US
ST = Washington
L  = Seattle


# Controller Manager
[kube-controller-manager]
distinguished_name = kube-controller-manager_distinguished_name
prompt             = no
req_extensions     = kube-controller-manager_req_extensions

[kube-controller-manager_req_extensions]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth, serverAuth
keyUsage             = critical, digitalSignature, keyEncipherment
nsCertType           = client
nsComment            = "Kube Controller Manager Certificate"
subjectAltName       = DNS:kube-controller-manager, IP:127.0.0.1
subjectKeyIdentifier = hash

[kube-controller-manager_distinguished_name]
CN = system:kube-controller-manager
O  = system:kube-controller-manager
C  = US
ST = Washington
L  = Seattle


# Scheduler
[kube-scheduler]
distinguished_name = kube-scheduler_distinguished_name
prompt             = no
req_extensions     = kube-scheduler_req_extensions

[kube-scheduler_req_extensions]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth, serverAuth
keyUsage             = critical, digitalSignature, keyEncipherment
nsCertType           = client
nsComment            = "Kube Scheduler Certificate"
subjectAltName       = DNS:kube-scheduler, IP:127.0.0.1
subjectKeyIdentifier = hash

[kube-scheduler_distinguished_name]
CN = system:kube-scheduler
O  = system:system:kube-scheduler
C  = US
ST = Washington
L  = Seattle


# API Server
#
# The Kubernetes API server is automatically assigned the `kubernetes`
# internal dns name, which will be linked to the first IP address (`10.32.0.1`)
# from the address range (`10.32.0.0/24`) reserved for internal cluster
# services.

[kube-api-server]
distinguished_name = kube-api-server_distinguished_name
prompt             = no
req_extensions     = kube-api-server_req_extensions

[kube-api-server_req_extensions]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth, serverAuth
keyUsage             = critical, digitalSignature, keyEncipherment
nsCertType           = client, server
nsComment            = "Kube API Server Certificate"
subjectAltName       = @kube-api-server_alt_names
subjectKeyIdentifier = hash

[kube-api-server_alt_names]
IP.0  = 127.0.0.1
IP.1  = 10.0.0.1
IP.2  = 10.215.1.221
IP.3  = 2620:11f:7001:7:ffff:ffff:0ad7:01dd
IP.4  = 10.215.1.222
IP.5  = 2620:11f:7001:7:ffff:ffff:0ad7:01de
IP.6  = 10.215.1.223
IP.7  = 2620:11f:7001:7:ffff:ffff:0ad7:01df
IP.8  = 10.215.1.224
IP.9  = 2620:11f:7001:7:ffff:ffff:0ad7:01e0
IP.10  = 10.215.1.225
IP.11  = 2620:11f:7001:7:ffff:ffff:0ad7:01e1
IP.12  = 10.215.1.226
IP.13  = 2620:11f:7001:7:ffff:ffff:0ad7:01e2
IP.14  = fd00:3e42:e349::1
IP.15  = 2620:11f:7001:7:ffff:eeee::1
DNS.0 = kubernetes
DNS.1 = kubernetes.default
DNS.2 = kubernetes.default.svc
DNS.3 = kubernetes.default.svc.cluster
DNS.4 = kubernetes.svc.cluster.local
DNS.5 = server.kubernetes.local
DNS.6 = api-server.kubernetes.local

[kube-api-server_distinguished_name]
CN = kubernetes
C  = US
ST = Washington
L  = Seattle


[default_req_extensions]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth
keyUsage             = critical, digitalSignature, keyEncipherment
nsCertType           = client
nsComment            = "Admin Client Certificate"
subjectKeyIdentifier = hash
Switch to generating certs with openssl. 2025-12-14 18:24:24 -05:00			`[req]`
			`distinguished_name = req_distinguished_name`
			`prompt = no`
			`x509_extensions = ca_x509_extensions`

			`[ca_x509_extensions]`
			`basicConstraints = CA:TRUE`
			`keyUsage = cRLSign, keyCertSign`

			`[req_distinguished_name]`
			`C = US`
			`ST = Washington`
			`L = Seattle`
			`CN = CA`

			`[admin]`
			`distinguished_name = admin_distinguished_name`
			`prompt = no`
			`req_extensions = default_req_extensions`

			`[admin_distinguished_name]`
			`CN = admin`
			`O = system:masters`

			`# Service Accounts`
			`#`
			`# The Kubernetes Controller Manager leverages a key pair to generate`
			`# and sign service account tokens as described in the`
			`# [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/)`
			`# documentation.`

			`[service-accounts]`
			`distinguished_name = service-accounts_distinguished_name`
			`prompt = no`
			`req_extensions = default_req_extensions`

			`[service-accounts_distinguished_name]`
			`CN = service-accounts`

			`# Worker Nodes`
			`#`
			`# Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/)`
			`# called Node Authorizer, that specifically authorizes API requests made`
			`# by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet).`
			`# In order to be authorized by the Node Authorizer, Kubelets must use a credential`
			# that identifies them as being in the `system:nodes` group, with a username
			# of `system:node:<nodeName>`.

			`[controller0]`
			`distinguished_name = controller0_distinguished_name`
			`prompt = no`
			`req_extensions = controller0_req_extensions`

			`[controller0_req_extensions]`
			`basicConstraints = CA:FALSE`
			`extendedKeyUsage = clientAuth, serverAuth`
			`keyUsage = critical, digitalSignature, keyEncipherment`
			`nsCertType = client`
			`nsComment = "controller0 Certificate"`
			`subjectAltName = DNS:controller0, IP:127.0.0.1`
			`subjectKeyIdentifier = hash`

			`[controller0_distinguished_name]`
			`CN = system:node:controller0`
			`O = system:nodes`
			`C = US`
			`ST = Washington`
			`L = Seattle`

			`[controller1]`
			`distinguished_name = controller1_distinguished_name`
			`prompt = no`
			`req_extensions = controller1_req_extensions`

			`[controller1_req_extensions]`
			`basicConstraints = CA:FALSE`
			`extendedKeyUsage = clientAuth, serverAuth`
			`keyUsage = critical, digitalSignature, keyEncipherment`
			`nsCertType = client`
			`nsComment = "controller1 Certificate"`
			`subjectAltName = DNS:controller1, IP:127.0.0.1`
			`subjectKeyIdentifier = hash`

			`[controller1_distinguished_name]`
			`CN = system:node:controller1`
			`O = system:nodes`
			`C = US`
			`ST = Washington`
			`L = Seattle`

			`[controller2]`
			`distinguished_name = controller2_distinguished_name`
			`prompt = no`
			`req_extensions = controller2_req_extensions`

			`[controller2_req_extensions]`
			`basicConstraints = CA:FALSE`
			`extendedKeyUsage = clientAuth, serverAuth`
			`keyUsage = critical, digitalSignature, keyEncipherment`
			`nsCertType = client`
			`nsComment = "controller2 Certificate"`
			`subjectAltName = DNS:controller2, IP:127.0.0.1`
			`subjectKeyIdentifier = hash`

			`[controller2_distinguished_name]`
			`CN = system:node:controller2`
			`O = system:nodes`
			`C = US`
			`ST = Washington`
			`L = Seattle`

			`[worker0]`
			`distinguished_name = worker0_distinguished_name`
			`prompt = no`
			`req_extensions = worker0_req_extensions`

			`[worker0_req_extensions]`
			`basicConstraints = CA:FALSE`
			`extendedKeyUsage = clientAuth, serverAuth`
			`keyUsage = critical, digitalSignature, keyEncipherment`
			`nsCertType = client`
			`nsComment = "worker0 Certificate"`
			`subjectAltName = DNS:worker0, IP:127.0.0.1`
			`subjectKeyIdentifier = hash`

			`[worker0_distinguished_name]`
			`CN = system:node:worker0`
			`O = system:nodes`
			`C = US`
			`ST = Washington`
			`L = Seattle`

			`[worker1]`
			`distinguished_name = worker1_distinguished_name`
			`prompt = no`
			`req_extensions = worker1_req_extensions`

			`[worker1_req_extensions]`
			`basicConstraints = CA:FALSE`
			`extendedKeyUsage = clientAuth, serverAuth`
			`keyUsage = critical, digitalSignature, keyEncipherment`
			`nsCertType = client`
			`nsComment = "worker1 Certificate"`
			`subjectAltName = DNS:worker1, IP:127.0.0.1`
			`subjectKeyIdentifier = hash`

			`[worker1_distinguished_name]`
			`CN = system:node:worker1`
			`O = system:nodes`
			`C = US`
			`ST = Washington`
			`L = Seattle`

			`[worker2]`
			`distinguished_name = worker2_distinguished_name`
			`prompt = no`
			`req_extensions = worker2_req_extensions`

			`[worker2_req_extensions]`
			`basicConstraints = CA:FALSE`
			`extendedKeyUsage = clientAuth, serverAuth`
			`keyUsage = critical, digitalSignature, keyEncipherment`
			`nsCertType = client`
			`nsComment = "worker2 Certificate"`
			`subjectAltName = DNS:worker2, IP:127.0.0.1`
			`subjectKeyIdentifier = hash`

			`[worker2_distinguished_name]`
			`CN = system:node:worker2`
			`O = system:nodes`
			`C = US`
			`ST = Washington`
			`L = Seattle`



			`# Kube Proxy Section`
			`[kube-proxy]`
			`distinguished_name = kube-proxy_distinguished_name`
			`prompt = no`
			`req_extensions = kube-proxy_req_extensions`

			`[kube-proxy_req_extensions]`
			`basicConstraints = CA:FALSE`
			`extendedKeyUsage = clientAuth, serverAuth`
			`keyUsage = critical, digitalSignature, keyEncipherment`
			`nsCertType = client`
			`nsComment = "Kube Proxy Certificate"`
			`subjectAltName = DNS:kube-proxy, IP:127.0.0.1`
			`subjectKeyIdentifier = hash`

			`[kube-proxy_distinguished_name]`
			`CN = system:kube-proxy`
			`O = system:node-proxier`
			`C = US`
			`ST = Washington`
			`L = Seattle`


			`# Controller Manager`
			`[kube-controller-manager]`
			`distinguished_name = kube-controller-manager_distinguished_name`
			`prompt = no`
			`req_extensions = kube-controller-manager_req_extensions`

			`[kube-controller-manager_req_extensions]`
			`basicConstraints = CA:FALSE`
			`extendedKeyUsage = clientAuth, serverAuth`
			`keyUsage = critical, digitalSignature, keyEncipherment`
			`nsCertType = client`
			`nsComment = "Kube Controller Manager Certificate"`
			`subjectAltName = DNS:kube-controller-manager, IP:127.0.0.1`
			`subjectKeyIdentifier = hash`

			`[kube-controller-manager_distinguished_name]`
			`CN = system:kube-controller-manager`
			`O = system:kube-controller-manager`
			`C = US`
			`ST = Washington`
			`L = Seattle`


			`# Scheduler`
			`[kube-scheduler]`
			`distinguished_name = kube-scheduler_distinguished_name`
			`prompt = no`
			`req_extensions = kube-scheduler_req_extensions`

			`[kube-scheduler_req_extensions]`
			`basicConstraints = CA:FALSE`
			`extendedKeyUsage = clientAuth, serverAuth`
			`keyUsage = critical, digitalSignature, keyEncipherment`
			`nsCertType = client`
			`nsComment = "Kube Scheduler Certificate"`
			`subjectAltName = DNS:kube-scheduler, IP:127.0.0.1`
			`subjectKeyIdentifier = hash`

			`[kube-scheduler_distinguished_name]`
			`CN = system:kube-scheduler`
			`O = system:system:kube-scheduler`
			`C = US`
			`ST = Washington`
			`L = Seattle`


			`# API Server`
			`#`
			# The Kubernetes API server is automatically assigned the `kubernetes`
			# internal dns name, which will be linked to the first IP address (`10.32.0.1`)
			# from the address range (`10.32.0.0/24`) reserved for internal cluster
			`# services.`

			`[kube-api-server]`
			`distinguished_name = kube-api-server_distinguished_name`
			`prompt = no`
			`req_extensions = kube-api-server_req_extensions`

			`[kube-api-server_req_extensions]`
			`basicConstraints = CA:FALSE`
			`extendedKeyUsage = clientAuth, serverAuth`
			`keyUsage = critical, digitalSignature, keyEncipherment`
			`nsCertType = client, server`
			`nsComment = "Kube API Server Certificate"`
			`subjectAltName = @kube-api-server_alt_names`
			`subjectKeyIdentifier = hash`

			`[kube-api-server_alt_names]`
			`IP.0 = 127.0.0.1`
Move the encryption config into a package. 2025-12-14 20:28:48 -05:00			`IP.1 = 10.0.0.1`
			`IP.2 = 10.215.1.221`
			`IP.3 = 2620:11f:7001:7:ffff:ffff:0ad7:01dd`
			`IP.4 = 10.215.1.222`
			`IP.5 = 2620:11f:7001:7:ffff:ffff:0ad7:01de`
			`IP.6 = 10.215.1.223`
			`IP.7 = 2620:11f:7001:7:ffff:ffff:0ad7:01df`
			`IP.8 = 10.215.1.224`
			`IP.9 = 2620:11f:7001:7:ffff:ffff:0ad7:01e0`
			`IP.10 = 10.215.1.225`
			`IP.11 = 2620:11f:7001:7:ffff:ffff:0ad7:01e1`
			`IP.12 = 10.215.1.226`
			`IP.13 = 2620:11f:7001:7:ffff:ffff:0ad7:01e2`
Fix service cluster ip range. Kubernetes only allows a /112 for service ip range. 2025-12-29 04:58:49 -05:00			`IP.14 = fd00:3e42:e349::1`
Allow pods to directly speak to the public internet on their own public IPv6 addresses. 2025-12-29 18:35:20 -05:00			`IP.15 = 2620:11f:7001:7:ffff:eeee::1`
Switch to generating certs with openssl. 2025-12-14 18:24:24 -05:00			`DNS.0 = kubernetes`
			`DNS.1 = kubernetes.default`
			`DNS.2 = kubernetes.default.svc`
			`DNS.3 = kubernetes.default.svc.cluster`
			`DNS.4 = kubernetes.svc.cluster.local`
			`DNS.5 = server.kubernetes.local`
			`DNS.6 = api-server.kubernetes.local`

			`[kube-api-server_distinguished_name]`
			`CN = kubernetes`
			`C = US`
			`ST = Washington`
			`L = Seattle`


			`[default_req_extensions]`
			`basicConstraints = CA:FALSE`
			`extendedKeyUsage = clientAuth`
			`keyUsage = critical, digitalSignature, keyEncipherment`
			`nsCertType = client`
			`nsComment = "Admin Client Certificate"`
			`subjectKeyIdentifier = hash`