From 686b7aef38909c7e2e36e72929c9ca5928b2ab3d Mon Sep 17 00:00:00 2001 From: Jamie Hannaford Date: Sun, 25 Jun 2017 20:44:44 +0200 Subject: [PATCH] Document how to use custom certs with kubeadm (#4113) --- docs/admin/kubeadm.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/docs/admin/kubeadm.md b/docs/admin/kubeadm.md index 7a295ab91d..2c1f33718c 100644 --- a/docs/admin/kubeadm.md +++ b/docs/admin/kubeadm.md @@ -23,7 +23,9 @@ following steps: 1. kubeadm generates a self-signed CA to provision identities for each component (including nodes) in the cluster. It also generates client certificates to - be used by various components. + be used by various components. If the user has provided their own CA by + dropping it in the cert directory (configured via `--cert-dir`, by default + `/etc/kubernetes/pki`), this step is skipped. 1. Outputting a kubeconfig file for the kubelet to use to connect to the API server, as well as an additional kubeconfig file for administration. @@ -459,6 +461,23 @@ EOF Now `kubelet` is ready to use the specified CRI runtime, and you can continue with `kubeadm init` and `kubeadm join` workflow to deploy Kubernetes cluster. +## Using custom certificates + +By default kubeadm will generate all the certificates needed for a cluster to run. +You can override this behaviour by providing your own certificates. + +To do so, you must place them in whatever directory is specified by the +`--cert-dir` flag or `CertificatesDir` configuration file key. By default this +is `/etc/kubernetes/pki`. + +If a given certificate and private key pair both exist, kubeadm will skip the +generation step and those files will be validated and used for the prescribed +use-case. + +This means you can, for example, prepopulate `/etc/kubernetes/pki/ca.crt` +and `/etc/kubernetes/pki/ca.key` with an existing CA, which then will be used +for signing the rest of the certs. + ## Releases and release notes If you already have kubeadm installed and want to upgrade, run `apt-get update