Create kubernetes CA signed kubelet certificates on activation

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-10-01 01:36:09 -04:00 · 2022-06-02 15:58:19 +02:00 · 2022-06-02 15:58:19 +02:00 · 963c6f98e5
commit 963c6f98e5
parent 4d50e4c657
7 changed files with 490 additions and 60 deletions
--- a/activation/activationproto/activation.pb.go
+++ b/activation/activationproto/activation.pb.go
@ -26,6 +26,7 @@ type ActivateNodeRequest struct {
 	unknownFields protoimpl.UnknownFields

 	DiskUuid string `protobuf:"bytes,1,opt,name=disk_uuid,json=diskUuid,proto3" json:"disk_uuid,omitempty"`
+	NodeName string `protobuf:"bytes,2,opt,name=node_name,json=nodeName,proto3" json:"node_name,omitempty"`
 }

 func (x *ActivateNodeRequest) Reset() {
@ -67,6 +68,13 @@ func (x *ActivateNodeRequest) GetDiskUuid() string {
 	return ""
 }

+func (x *ActivateNodeRequest) GetNodeName() string {
+	if x != nil {
+		return x.NodeName
+	}
+	return ""
+}
+
 type ActivateNodeResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@ -75,9 +83,11 @@ type ActivateNodeResponse struct {
 	StateDiskKey             []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"`
 	OwnerId                  []byte `protobuf:"bytes,2,opt,name=owner_id,json=ownerId,proto3" json:"owner_id,omitempty"`
 	ClusterId                []byte `protobuf:"bytes,3,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"`
-	ApiServerEndpoint        string `protobuf:"bytes,4,opt,name=api_server_endpoint,json=apiServerEndpoint,proto3" json:"api_server_endpoint,omitempty"`
-	Token                    string `protobuf:"bytes,5,opt,name=token,proto3" json:"token,omitempty"`
-	DiscoveryTokenCaCertHash string `protobuf:"bytes,6,opt,name=discovery_token_ca_cert_hash,json=discoveryTokenCaCertHash,proto3" json:"discovery_token_ca_cert_hash,omitempty"`
+	KubeletKey               []byte `protobuf:"bytes,4,opt,name=kubelet_key,json=kubeletKey,proto3" json:"kubelet_key,omitempty"`
+	KubeletCert              []byte `protobuf:"bytes,5,opt,name=kubelet_cert,json=kubeletCert,proto3" json:"kubelet_cert,omitempty"`
+	ApiServerEndpoint        string `protobuf:"bytes,6,opt,name=api_server_endpoint,json=apiServerEndpoint,proto3" json:"api_server_endpoint,omitempty"`
+	Token                    string `protobuf:"bytes,7,opt,name=token,proto3" json:"token,omitempty"`
+	DiscoveryTokenCaCertHash string `protobuf:"bytes,8,opt,name=discovery_token_ca_cert_hash,json=discoveryTokenCaCertHash,proto3" json:"discovery_token_ca_cert_hash,omitempty"`
 }

 func (x *ActivateNodeResponse) Reset() {
@ -133,6 +143,20 @@ func (x *ActivateNodeResponse) GetClusterId() []byte {
 	return nil
 }

+func (x *ActivateNodeResponse) GetKubeletKey() []byte {
+	if x != nil {
+		return x.KubeletKey
+	}
+	return nil
+}
+
+func (x *ActivateNodeResponse) GetKubeletCert() []byte {
+	if x != nil {
+		return x.KubeletCert
+	}
+	return nil
+}
+
 func (x *ActivateNodeResponse) GetApiServerEndpoint() string {
 	if x != nil {
 		return x.ApiServerEndpoint
@ -234,46 +258,52 @@ var File_activation_proto protoreflect.FileDescriptor

 var file_activation_proto_rawDesc = []byte{
 	0x0a, 0x10, 0x61, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x12, 0x06, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x22, 0x32, 0x0a, 0x13, 0x41, 0x63,
+	0x74, 0x6f, 0x12, 0x06, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x22, 0x4f, 0x0a, 0x13, 0x41, 0x63,
 	0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
 	0x74, 0x12, 0x1b, 0x0a, 0x09, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x69, 0x73, 0x6b, 0x55, 0x75, 0x69, 0x64, 0x22, 0xfc,
-	0x01, 0x0a, 0x14, 0x41, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x65,
-	0x5f, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52,
-	0x0c, 0x73, 0x74, 0x61, 0x74, 0x65, 0x44, 0x69, 0x73, 0x6b, 0x4b, 0x65, 0x79, 0x12, 0x19, 0x0a,
-	0x08, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52,
-	0x07, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73,
-	0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c,
-	0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64, 0x12, 0x2e, 0x0a, 0x13, 0x61, 0x70, 0x69, 0x5f, 0x73,
-	0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x04,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x61, 0x70, 0x69, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x45,
-	0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e,
-	0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x3e, 0x0a,
-	0x1c, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e,
-	0x5f, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x06, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x18, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x54, 0x6f,
-	0x6b, 0x65, 0x6e, 0x43, 0x61, 0x43, 0x65, 0x72, 0x74, 0x48, 0x61, 0x73, 0x68, 0x22, 0x1c, 0x0a,
-	0x1a, 0x41, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x43, 0x6f, 0x6f, 0x72, 0x64, 0x69, 0x6e,
-	0x61, 0x74, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x1d, 0x0a, 0x1b, 0x41,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x69, 0x73, 0x6b, 0x55, 0x75, 0x69, 0x64, 0x12, 0x1b,
+	0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x08, 0x6e, 0x6f, 0x64, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xc0, 0x02, 0x0a, 0x14,
+	0x41, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x64, 0x69,
+	0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x73, 0x74,
+	0x61, 0x74, 0x65, 0x44, 0x69, 0x73, 0x6b, 0x4b, 0x65, 0x79, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77,
+	0x6e, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77,
+	0x6e, 0x65, 0x72, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72,
+	0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74,
+	0x65, 0x72, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x5f,
+	0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x6c,
+	0x65, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x0a, 0x0c, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74,
+	0x5f, 0x63, 0x65, 0x72, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x6b, 0x75, 0x62,
+	0x65, 0x6c, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x12, 0x2e, 0x0a, 0x13, 0x61, 0x70, 0x69, 0x5f,
+	0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18,
+	0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x61, 0x70, 0x69, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+	0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65,
+	0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x3e,
+	0x0a, 0x1c, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x5f, 0x74, 0x6f, 0x6b, 0x65,
+	0x6e, 0x5f, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x08,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x54,
+	0x6f, 0x6b, 0x65, 0x6e, 0x43, 0x61, 0x43, 0x65, 0x72, 0x74, 0x48, 0x61, 0x73, 0x68, 0x22, 0x1c,
+	0x0a, 0x1a, 0x41, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x43, 0x6f, 0x6f, 0x72, 0x64, 0x69,
+	0x6e, 0x61, 0x74, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x1d, 0x0a, 0x1b,
+	0x41, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x43, 0x6f, 0x6f, 0x72, 0x64, 0x69, 0x6e, 0x61,
+	0x74, 0x6f, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0xb0, 0x01, 0x0a, 0x03,
+	0x41, 0x50, 0x49, 0x12, 0x49, 0x0a, 0x0c, 0x41, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4e,
+	0x6f, 0x64, 0x65, 0x12, 0x1b, 0x2e, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74,
+	0x69, 0x76, 0x61, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x1c, 0x2e, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76, 0x61,
+	0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5e,
+	0x0a, 0x13, 0x41, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x43, 0x6f, 0x6f, 0x72, 0x64, 0x69,
+	0x6e, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x22, 0x2e, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x2e, 0x41,
 	0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x43, 0x6f, 0x6f, 0x72, 0x64, 0x69, 0x6e, 0x61, 0x74,
-	0x6f, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0xb0, 0x01, 0x0a, 0x03, 0x41,
-	0x50, 0x49, 0x12, 0x49, 0x0a, 0x0c, 0x41, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4e, 0x6f,
-	0x64, 0x65, 0x12, 0x1b, 0x2e, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69,
-	0x76, 0x61, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
-	0x1c, 0x2e, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74,
-	0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5e, 0x0a,
-	0x13, 0x41, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x43, 0x6f, 0x6f, 0x72, 0x64, 0x69, 0x6e,
-	0x61, 0x74, 0x6f, 0x72, 0x12, 0x22, 0x2e, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63,
-	0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x43, 0x6f, 0x6f, 0x72, 0x64, 0x69, 0x6e, 0x61, 0x74, 0x6f,
-	0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x70, 0x75, 0x62, 0x61, 0x70,
-	0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x43, 0x6f, 0x6f, 0x72, 0x64, 0x69,
-	0x6e, 0x61, 0x74, 0x6f, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x48, 0x5a,
-	0x46, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65,
-	0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x70, 0x75, 0x62, 0x61,
+	0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x43, 0x6f, 0x6f, 0x72, 0x64,
+	0x69, 0x6e, 0x61, 0x74, 0x6f, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x48,
+	0x5a, 0x46, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67,
+	0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c,
+	0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
--- a/activation/activationproto/activation.proto
+++ b/activation/activationproto/activation.proto
@ -12,15 +12,18 @@ service API {

 message ActivateNodeRequest {
    string disk_uuid = 1;
+    string node_name = 2;
 }

 message ActivateNodeResponse {
    bytes state_disk_key = 1;
    bytes owner_id = 2;
    bytes cluster_id = 3;
-    string api_server_endpoint = 4;
-    string token = 5;
-    string discovery_token_ca_cert_hash = 6;
+    bytes kubelet_key = 4;
+    bytes kubelet_cert = 5;
+    string api_server_endpoint = 6;
+    string token = 7;
+    string discovery_token_ca_cert_hash = 8;
 }


--- a/activation/cmd/main.go
+++ b/activation/cmd/main.go
@ -5,6 +5,7 @@ import (

 	"github.com/edgelesssys/constellation/activation/kms"
 	"github.com/edgelesssys/constellation/activation/kubeadm"
+	"github.com/edgelesssys/constellation/activation/kubernetesca"
 	"github.com/edgelesssys/constellation/activation/server"
 	"github.com/edgelesssys/constellation/activation/validator"
 	"github.com/edgelesssys/constellation/activation/watcher"
@ -46,7 +47,7 @@ func main() {
 	}
 	kms := kms.New(*kmsEndpoint)

-	server := server.New(handler, kubeadm, kms)
+	server := server.New(handler, kubernetesca.New(handler), kubeadm, kms)

 	watcher, err := watcher.New(validator)
 	if err != nil {
--- a/activation/kubernetesca/kubernetesca.go
+++ b/activation/kubernetesca/kubernetesca.go
@ -0,0 +1,117 @@
+package kubernetesca
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"time"
+
+	"github.com/edgelesssys/constellation/coordinator/util"
+	"github.com/edgelesssys/constellation/internal/file"
+	"k8s.io/klog/v2"
+)
+
+const (
+	caCertFilename = "/etc/kubernetes/pki/ca.crt"
+	caKeyFilename  = "/etc/kubernetes/pki/ca.key"
+)
+
+// KubernetesCA handles signing of certificates using the Kubernetes root CA.
+type KubernetesCA struct {
+	file file.Handler
+}
+
+// New creates a new KubernetesCA.
+func New(fileHandler file.Handler) *KubernetesCA {
+	return &KubernetesCA{
+		file: fileHandler,
+	}
+}
+
+// GetCertificate creates a certificate for a node and signs it using the Kubernetes root CA.
+func (c KubernetesCA) GetCertificate(nodeName string) (cert []byte, key []byte, err error) {
+	klog.V(6).Info("CA: loading Kubernetes CA certificate")
+	parentCertRaw, err := c.file.Read(caCertFilename)
+	if err != nil {
+		return nil, nil, err
+	}
+	parentCertPEM, _ := pem.Decode(parentCertRaw)
+	parentCert, err := x509.ParseCertificate(parentCertPEM.Bytes)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	klog.V(6).Info("CA: loading Kubernetes CA private key")
+	parentKeyRaw, err := c.file.Read(caKeyFilename)
+	if err != nil {
+		return nil, nil, err
+	}
+	parentKeyPEM, _ := pem.Decode(parentKeyRaw)
+	var parentKey any
+	switch parentKeyPEM.Type {
+	case "EC PRIVATE KEY":
+		parentKey, err = x509.ParseECPrivateKey(parentKeyPEM.Bytes)
+	case "RSA PRIVATE KEY":
+		parentKey, err = x509.ParsePKCS1PrivateKey(parentKeyPEM.Bytes)
+	case "PRIVATE KEY":
+		parentKey, err = x509.ParsePKCS8PrivateKey(parentKeyPEM.Bytes)
+	default:
+		return nil, nil, fmt.Errorf("unsupported key type %q", parentCertPEM.Type)
+	}
+	if err != nil {
+		return nil, nil, err
+	}
+
+	klog.V(6).Info("CA: creating kubelet private key")
+	privK, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+	keyBytes, err := x509.MarshalECPrivateKey(privK)
+	if err != nil {
+		return nil, nil, err
+	}
+	kubeletKey := pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: keyBytes,
+	})
+
+	klog.V(6).Info("CA: creating kubelet certificate")
+	serialNumber, err := util.GenerateCertificateSerialNumber()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	now := time.Now()
+	// Create the kubelet certificate
+	// For a reference on the certificate fields, see: https://kubernetes.io/docs/setup/best-practices/certificates/
+	certTmpl := &x509.Certificate{
+		SerialNumber: serialNumber,
+		NotBefore:    now.Add(-2 * time.Hour),
+		NotAfter:     now.Add(24 * 365 * time.Hour),
+		Subject: pkix.Name{
+			Organization: []string{"system:nodes"},
+			CommonName:   fmt.Sprintf("system:node:%s", nodeName),
+		},
+		KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+		},
+		IsCA:                  false,
+		BasicConstraintsValid: true,
+	}
+	certRaw, err := x509.CreateCertificate(rand.Reader, certTmpl, parentCert, &privK.PublicKey, parentKey)
+	if err != nil {
+		return nil, nil, err
+	}
+	kubeletCert := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certRaw,
+	})
+
+	return kubeletCert, kubeletKey, nil
+}
--- a/activation/kubernetesca/kubernetesca_test.go
+++ b/activation/kubernetesca/kubernetesca_test.go
@ -0,0 +1,197 @@
+package kubernetesca
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"testing"
+	"time"
+
+	"github.com/edgelesssys/constellation/internal/file"
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetCertificate(t *testing.T) {
+	ecCert, ecKey := mustCreateCert(mustCreateECKey)
+	rsaCert, rsaKey := mustCreateCert(mustCreateRSAKey)
+	testCert, testKey := mustCreateCert(mustCreatePKCS8Key)
+	unsupportedKey := []byte(`-----BEGIN SOME KEY-----
+Q29uc3RlbGxhdGlvbg==
+-----END SOME KEY-----`)
+	invalidKey := []byte(`-----BEGIN PRIVATE KEY-----
+Q29uc3RlbGxhdGlvbg==
+-----END PRIVATE KEY-----`)
+	invalidCert := []byte(`-----BEGIN CERTIFICATE-----
+Q29uc3RlbGxhdGlvbg==
+-----END CERTIFICATE-----`)
+
+	testCases := map[string]struct {
+		caCert  []byte
+		caKey   []byte
+		wantErr bool
+	}{
+		"success ec key": {
+			caCert: ecCert,
+			caKey:  ecKey,
+		},
+		"success rsa key": {
+			caCert: rsaCert,
+			caKey:  rsaKey,
+		},
+		"success any key": {
+			caCert: testCert,
+			caKey:  testKey,
+		},
+		"unsupported key": {
+			caCert:  ecCert,
+			caKey:   unsupportedKey,
+			wantErr: true,
+		},
+		"invalid key": {
+			caCert:  ecCert,
+			caKey:   invalidKey,
+			wantErr: true,
+		},
+		"invalid certificate": {
+			caCert:  invalidCert,
+			caKey:   ecKey,
+			wantErr: true,
+		},
+		"no ca certificate": {
+			caKey:   ecKey,
+			wantErr: true,
+		},
+		"no ca key": {
+			caCert:  ecCert,
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+
+			file := file.NewHandler(afero.NewMemMapFs())
+
+			if len(tc.caCert) > 0 {
+				require.NoError(file.Write(caCertFilename, tc.caCert, 0o644))
+			}
+			if len(tc.caKey) > 0 {
+				require.NoError(file.Write(caKeyFilename, tc.caKey, 0o644))
+			}
+
+			ca := New(file)
+
+			nodeName := "test"
+			kubeCert, kubeKey, err := ca.GetCertificate(nodeName)
+			if tc.wantErr {
+				assert.Error(err)
+				return
+			}
+
+			assert.NoError(err)
+			certPEM, _ := pem.Decode(kubeCert)
+			require.NotNil(certPEM)
+			cert, err := x509.ParseCertificate(certPEM.Bytes)
+			require.NoError(err)
+			assert.Equal("system:node:"+nodeName, cert.Subject.CommonName)
+			assert.Equal("system:nodes", cert.Subject.Organization[0])
+			assert.Equal(x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment, cert.KeyUsage)
+			assert.Equal(x509.ExtKeyUsageClientAuth, cert.ExtKeyUsage[0])
+			assert.False(cert.IsCA)
+			assert.True(cert.BasicConstraintsValid)
+
+			keyPEM, _ := pem.Decode(kubeKey)
+			require.NotNil(keyPEM)
+			key, err := x509.ParseECPrivateKey(keyPEM.Bytes)
+			require.NoError(err)
+			require.IsType(&ecdsa.PublicKey{}, cert.PublicKey)
+			assert.Equal(&key.PublicKey, cert.PublicKey.(*ecdsa.PublicKey))
+		})
+	}
+}
+
+func mustCreateCert(getKey func() (crypto.PrivateKey, []byte)) ([]byte, []byte) {
+	caPriv, keyPEM := getKey()
+	caTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: "kubernetes",
+		},
+		NotBefore: time.Now().Add(-2 * time.Hour),
+		IsCA:      true,
+		KeyUsage:  x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+	}
+	caCert, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, publicKey(caPriv), caPriv)
+	if err != nil {
+		panic(err)
+	}
+	caCertPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caCert,
+	})
+
+	return caCertPEM, keyPEM
+}
+
+func mustCreateECKey() (crypto.PrivateKey, []byte) {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+	keyBytes, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		panic(err)
+	}
+	return key, pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: keyBytes,
+	})
+}
+
+func mustCreatePKCS8Key() (crypto.PrivateKey, []byte) {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+	keyBytes, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		panic(err)
+	}
+	return key, pem.EncodeToMemory(&pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: keyBytes,
+	})
+}
+
+func mustCreateRSAKey() (crypto.PrivateKey, []byte) {
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(err)
+	}
+	keyBytes := x509.MarshalPKCS1PrivateKey(key)
+	return key, pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: keyBytes,
+	})
+}
+
+func publicKey(priv crypto.PrivateKey) any {
+	switch k := priv.(type) {
+	case *rsa.PrivateKey:
+		return &k.PublicKey
+	case *ecdsa.PrivateKey:
+		return &k.PublicKey
+	default:
+		return nil
+	}
+}
--- a/activation/server/server.go
+++ b/activation/server/server.go
@ -24,15 +24,17 @@ type Server struct {
 	file            file.Handler
 	joinTokenGetter joinTokenGetter
 	dataKeyGetter   dataKeyGetter
+	ca              certificateAuthority
 	proto.UnimplementedAPIServer
 }

 // New initializes a new Server.
-func New(fileHandler file.Handler, joinTokenGetter joinTokenGetter, dataKeyGetter dataKeyGetter) *Server {
+func New(fileHandler file.Handler, ca certificateAuthority, joinTokenGetter joinTokenGetter, dataKeyGetter dataKeyGetter) *Server {
 	return &Server{
 		file:            fileHandler,
 		joinTokenGetter: joinTokenGetter,
 		dataKeyGetter:   dataKeyGetter,
+		ca:              ca,
 	}
 }

@ -59,27 +61,33 @@ func (s *Server) Run(tlsConfig *tls.Config, port string) error {
 // - Kubernetes join token.
 // - cluster and owner ID to taint the node as initialized.
 func (s *Server) ActivateNode(ctx context.Context, req *proto.ActivateNodeRequest) (*proto.ActivateNodeResponse, error) {
-	klog.V(4).Infof("ActivateNode: loading IDs")
+	klog.V(4).Info("ActivateNode: loading IDs")
 	var id id
 	if err := s.file.ReadJSON(constants.ActivationIDFilename, &id); err != nil {
 		klog.Errorf("unable to load IDs: %s", err)
 		return nil, status.Errorf(codes.Internal, "unable to load IDs: %s", err)
 	}

-	klog.V(4).Infof("ActivateNode: requesting disk encryption key")
+	klog.V(4).Info("ActivateNode: requesting disk encryption key")
 	stateDiskKey, err := s.dataKeyGetter.GetDataKey(ctx, req.DiskUuid, constants.StateDiskKeyLength)
 	if err != nil {
 		klog.Errorf("unable to get key for stateful disk: %s", err)
 		return nil, status.Errorf(codes.Internal, "unable to get key for stateful disk: %s", err)
 	}

-	klog.V(4).Infof("ActivateNode: creating Kubernetes join token")
+	klog.V(4).Info("ActivateNode: creating Kubernetes join token")
 	kubeArgs, err := s.joinTokenGetter.GetJoinToken(constants.KubernetesJoinTokenTTL)
 	if err != nil {
 		klog.Errorf("unable to generate Kubernetes join arguments: %s", err)
 		return nil, status.Errorf(codes.Internal, "unable to generate Kubernetes join arguments: %s", err)
 	}

+	klog.V(4).Info("ActivateNode: creating signed kubelet certificate")
+	kubeletCert, kubeletKey, err := s.ca.GetCertificate(req.NodeName)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "unable to generate kubelet certificate: %s", err)
+	}
+
 	klog.V(4).Info("ActivateNode successful")

 	return &proto.ActivateNodeResponse{
@ -89,6 +97,8 @@ func (s *Server) ActivateNode(ctx context.Context, req *proto.ActivateNodeReques
 		ApiServerEndpoint:        kubeArgs.APIServerEndpoint,
 		Token:                    kubeArgs.Token,
 		DiscoveryTokenCaCertHash: kubeArgs.CACertHashes[0],
+		KubeletCert:              kubeletCert,
+		KubeletKey:               kubeletKey,
 	}, nil
 }

@ -109,6 +119,11 @@ type dataKeyGetter interface {
 	GetDataKey(ctx context.Context, uuid string, length int) ([]byte, error)
 }

+type certificateAuthority interface {
+	// GetCertificate returns a certificate and private key, signed by the issuer.
+	GetCertificate(nodeName string) (kubeletCert []byte, kubeletKey []byte, err error)
+}
+
 type id struct {
 	Cluster []byte `json:"cluster"`
 	Owner   []byte `json:"owner"`
--- a/activation/server/server_test.go
+++ b/activation/server/server_test.go
@ -19,6 +19,7 @@ import (
 func TestActivateNode(t *testing.T) {
 	someErr := errors.New("error")
 	testKey := []byte{0x1, 0x2, 0x3}
+	testCert := []byte{0x4, 0x5, 0x6}
 	testID := id{
 		Owner:   []byte{0x4, 0x5, 0x6},
 		Cluster: []byte{0x7, 0x8, 0x9},
@ -32,34 +33,88 @@ func TestActivateNode(t *testing.T) {
 	testCases := map[string]struct {
 		kubeadm stubTokenGetter
 		kms     stubKeyGetter
+		ca      stubCA
 		id      []byte
 		wantErr bool
 	}{
 		"success": {
-			kubeadm: stubTokenGetter{token: testJoinToken},
-			kms:     stubKeyGetter{dataKey: testKey},
-			id:      mustMarshalID(testID),
+			kubeadm: stubTokenGetter{
+				token: testJoinToken,
+			},
+			kms: stubKeyGetter{
+				dataKey: testKey,
+			},
+			ca: stubCA{
+				cert: testCert,
+				key:  testKey,
+			},
+			id: mustMarshalID(testID),
 		},
 		"GetDataKey fails": {
-			kubeadm: stubTokenGetter{token: testJoinToken},
-			kms:     stubKeyGetter{getDataKeyErr: someErr},
+			kubeadm: stubTokenGetter{
+				token: testJoinToken,
+			},
+			kms: stubKeyGetter{
+				getDataKeyErr: someErr,
+			},
+			ca: stubCA{
+				cert: testCert,
+				key:  testKey,
+			},
 			id:      mustMarshalID(testID),
 			wantErr: true,
 		},
 		"loading IDs fails": {
-			kubeadm: stubTokenGetter{token: testJoinToken},
-			kms:     stubKeyGetter{dataKey: testKey},
+			kubeadm: stubTokenGetter{
+				token: testJoinToken,
+			},
+			kms: stubKeyGetter{
+				dataKey: testKey,
+			},
+			ca: stubCA{
+				cert: testCert,
+				key:  testKey,
+			},
 			id:      []byte{0x1, 0x2, 0x3},
 			wantErr: true,
 		},
 		"no ID file": {
-			kubeadm: stubTokenGetter{token: testJoinToken},
-			kms:     stubKeyGetter{dataKey: testKey},
+			kubeadm: stubTokenGetter{
+				token: testJoinToken,
+			},
+			kms: stubKeyGetter{
+				dataKey: testKey,
+			},
+			ca: stubCA{
+				cert: testCert,
+				key:  testKey,
+			},
 			wantErr: true,
 		},
 		"GetJoinToken fails": {
-			kubeadm: stubTokenGetter{getJoinTokenErr: someErr},
-			kms:     stubKeyGetter{dataKey: testKey},
+			kubeadm: stubTokenGetter{
+				getJoinTokenErr: someErr,
+			},
+			kms: stubKeyGetter{
+				dataKey: testKey,
+			},
+			ca: stubCA{
+				cert: testCert,
+				key:  testKey,
+			},
+			id:      mustMarshalID(testID),
+			wantErr: true,
+		},
+		"GetCertificate fails": {
+			kubeadm: stubTokenGetter{
+				token: testJoinToken,
+			},
+			kms: stubKeyGetter{
+				dataKey: testKey,
+			},
+			ca: stubCA{
+				getCertErr: someErr,
+			},
 			id:      mustMarshalID(testID),
 			wantErr: true,
 		},
@ -74,7 +129,7 @@ func TestActivateNode(t *testing.T) {
 			if len(tc.id) > 0 {
 				require.NoError(file.Write(constants.ActivationIDFilename, tc.id, 0o644))
 			}
-			api := New(file, tc.kubeadm, tc.kms)
+			api := New(file, tc.ca, tc.kubeadm, tc.kms)

 			resp, err := api.ActivateNode(context.Background(), &proto.ActivateNodeRequest{DiskUuid: "uuid"})
 			if tc.wantErr {
@ -92,6 +147,8 @@ func TestActivateNode(t *testing.T) {
 			assert.Equal(tc.kubeadm.token.APIServerEndpoint, resp.ApiServerEndpoint)
 			assert.Equal(tc.kubeadm.token.CACertHashes[0], resp.DiscoveryTokenCaCertHash)
 			assert.Equal(tc.kubeadm.token.Token, resp.Token)
+			assert.Equal(tc.ca.cert, resp.KubeletCert)
+			assert.Equal(tc.ca.key, resp.KubeletKey)
 		})
 	}
 }
@ -121,3 +178,13 @@ type stubKeyGetter struct {
 func (f stubKeyGetter) GetDataKey(context.Context, string, int) ([]byte, error) {
 	return f.dataKey, f.getDataKeyErr
 }
+
+type stubCA struct {
+	cert       []byte
+	key        []byte
+	getCertErr error
+}
+
+func (f stubCA) GetCertificate(string) ([]byte, []byte, error) {
+	return f.cert, f.key, f.getCertErr
+}