Storing Virtual Machines as Kubernetes resources in git for automated deployment promotes consistency, resilency, and accountability, but commiting secrets to git is risky and should be avoided. Use the External Secrets Operator to securely store cloud-init and other data, and sleep soundly!
This post demonstrates how to properly generate kubeconfig files for OpenShift ServiceAccounts, enabling secure token-based authentication and TLS connections. You will learn how to create ServiceAccounts, generate time-limited tokens, bundle CA certificates, and package everything into a distributable kubeconfig file that can be stored as a Secret for download.
If you find yourself frequently rebuilding OpenShift clusters and potentially reusing cluster names, you may find it challanging to manage the credentials consistently and securely. Here is a solution using 1Password.
OpenShift creates a number of Certificate Authorities to sign TLS certificates which secure functions including load balancing of the API and Ingress services.
Recent versions of openshift-install will place all the CA certificates in the generated auth/kubeconfig file.
Here is how to extract and split those certificates into individual files which eases the process of trusting them particularly on a Mac.
Copyright (c) 2021, Dale Bewley; all rights reserved.
Template by Bootstrapious. Ported to Hugo by DevCows.
