Merge pull request #12702 from liguangbo/doc-cert

Add the describe about generate CA in authentication
2025-07-28 05:57:25 +00:00 · 2015-08-20 11:07:37 -07:00 · 2015-08-20 11:07:37 -07:00 · 1aeeeaecd1
commit 1aeeeaecd1
parent 95a60d6085 97693558e0
1 changed files with 52 additions and 0 deletions
--- a/docs/admin/authentication.md
+++ b/docs/admin/authentication.md
@ -81,6 +81,58 @@ provider external to Kubernetes.  We plan to make it easy to develop modules
 that interface between Kubernetes and a bedrock authentication provider (e.g.
 github.com, google.com, enterprise directory, kerberos, etc.)

+## APPENDIX
+
+### Creating Certificates
+
+When using client certificate authentication, you can generate certificates manually or
+using an existing deployment script.
+
+**Deployment script** is implemented at
+`cluster/saltbase/salt/generate-cert/make-ca-cert.sh`.
+Execute this script with two parameters. First is the IP address of apiserver, the second is
+a list of subject alternate names in the form `IP:<ip-address> or DNS:<dns-name>`.
+The script will generate three files:ca.crt, server.crt and server.key.
+Finally, add these parameters
+`--client-ca-file=/srv/kubernetes/ca.crt`
+`--tls-cert-file=/srv/kubernetes/server.cert`
+`--tls-private-key-file=/srv/kubernetes/server.key`
+into apiserver start parameters.
+
+**easyrsa** can be used to manually generate certificates for your cluster.
+1.  Download, unpack, and initialize the patched version of easyrsa3.
+    `curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz`
+    `tar xzf easy-rsa.tar.gz`
+    `cd easy-rsa-master/easyrsa3`
+    `./easyrsa init-pki`
+1.  Generate a CA. (--batch set automatic mode. --req-cn default CN to use.)
+    `./easyrsa --batch "--req-cn=${MASTER_IP}@date +%s" build-ca nopass`
+1.  Generate server certificate and key.
+    (build-server-full [filename]: Generate a keypair and sign locally for a client or server)
+    `./easyrsa --subject-alt-name="${MASTER_IP}" build-server-full kubernetes-master nopass`
+1.  Copy /pki/ca.crt  /pki/issued/kubernetes-master.crt
+    /pki/private/kubernetes-master.key to your directory.
+1.  Remember fill the parameters
+    `--client-ca-file=/yourdirectory/ca.crt`
+    `--tls-cert-file=/yourdirectory/server.cert`
+    `--tls-private-key-file=/yourdirectory/server.key`
+    and add these into apiserver start parameters.
+
+**openssl** can also be use to manually generate certificates for your cluster.
+1.  Generate a ca.key with 2048bit
+    `openssl genrsa -out ca.key 2048`
+1.  According to the ca.key generate a ca.crt.  (-days set the certificate effective time).
+    `openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt`
+1.  Generate a server.key with 2048bit
+    `openssl genrsa -out server.key 2048`
+1.  According to the server.key generate a server.csr.
+    `openssl req -new -key server.key -subj "/CN=${MASTER_IP}" -out server.csr`
+1.  According to the ca.key, ca.crt and server.csr generate the server.crt.
+    `openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
+    -days 10000`
+1.  View the certificate.
+    `openssl x509  -noout -text -in ./server.crt`
+    Finally, do not forget fill the same parameters and add parameters into apiserver start parameters.

 <!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
 [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/authentication.md?pixel)]()