mirror of https://github.com/kubernetes/kops.git
38 lines
1.6 KiB
Markdown
38 lines
1.6 KiB
Markdown
# Using a custom certificate authority
|
|
|
|
## Background Info
|
|
|
|
When deploying a `kops` based Kubernetes cluster, `kops` will generate a certificate authority keypair for signing
|
|
various certificates with. In some cases, you may want to provide your own CA keypair.
|
|
|
|
Another use case would be to use the CA keypair of another cluster if you are creating many
|
|
short lived clusters and don't want to create a unique CA for each one.
|
|
|
|
### Building a cluster with a custom CA
|
|
|
|
The following procedure will allow you to override the CA when creating a cluster. For the sake of this example, you have two files
|
|
`ca.crt` and `ca.key`.
|
|
|
|
>`cluster-name.com` should be the cluster name you put in the `cluster.yaml`
|
|
|
|
```bash
|
|
kops create -f cluster.yaml
|
|
kops create secret keypair ca --cert ca.crt --key ca.key --name cluster-name.com
|
|
kops update cluster --yes
|
|
```
|
|
|
|
1. First we create the cluster folder structure in the statestore.
|
|
2. Second, we create a `Secret` of type `Keypair` with the name `ca` and provide our own values.
|
|
3. Lastly, we run `kops update cluster --yes`, which will generate all the certificates needed, referencing the `Secret` called `ca` we just defined (versus generating its own).
|
|
|
|
### Using a previous `kops` cluster CA
|
|
|
|
In some cases you will want to create a cluster and use the CA generated in a previous `kops` cluster.
|
|
To do so, you will need to copy the CA files from the state store, and then use them as values in the above procedure.
|
|
|
|
The files are located as follows:
|
|
|
|
`s3://state-store/<cluster-name>/pki/issued/ca/<id>.crt`
|
|
|
|
`s3://state-store/<cluster-name>/pki/private/ca/<id>.key`
|