问题
I have created a cluster on aws using kops.
However I am unable to find the file used as/by the certificate authority for spawning off client certs.
Does kops create such a thing by default?
If so, what is the recommended process for creating client certs?
The kops documentation is not very clear about this.
回答1:
I've done it like this in the past:
- Download the
kops-generated CA certificate and signing key from S3:s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/private/ca/*.keys3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/issued/ca/*.crt
- Generate a client key:
openssl genrsa -out client-key.pem 2048 Generate a CSR:
openssl req -new \ -key client-key.pem \ -out client-csr.pem \ -subj "/CN=<CLIENT_CN>/O=dev"`Generate a client certificate:
openssl x509 -req \ -in client-csr.pem \ -CA <PATH_TO_DOWNLOADED_CA_CERT> \ -CAkey <PATH_TO_DOWNLOADED_CA_KEY> \ -CAcreateserial \ -out client-crt.pem \ -days 10000- Base64-encode the client key, client certificate, and CA certificate, and populate those values in a
config.yml, e.g. this - Distribute the populated
config.ymlto your developers.
5 and 6 can obviously be distributed by whatever means you want, don't need to make the config.yml for your developers.
来源:https://stackoverflow.com/questions/48172310/kubernetes-ca-file-when-deploying-via-kops