github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 15:25:57 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #13290 from Huawei-PaaS/amend_two_markdown_errors_in_authentication_md

Browse Source 
Amend some markdown and other errors in **easyrsa** section
This commit is contained in:
Brendan Burns 2015-09-01 10:07:21 -07:00
commit 8696c6c1d7
1 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docs/admin/authentication.md
View File

@ -118,18 +118,22 @@ Finally, add these parameters
into apiserver start parameters.
**easyrsa** can be used to manually generate certificates for your cluster.
1. Download, unpack, and initialize the patched version of easyrsa3.
`curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz`
`tar xzf easy-rsa.tar.gz`
`cd easy-rsa-master/easyrsa3`
`./easyrsa init-pki`
1. Generate a CA. (--batch set automatic mode. --req-cn default CN to use.)
`./easyrsa --batch "--req-cn=${MASTER_IP}@date +%s" build-ca nopass`
curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
tar xzf easy-rsa.tar.gz
cd easy-rsa-master/easyrsa3
./easyrsa init-pki
1. Generate a CA. (`--batch` set automatic mode. `--req-cn` default CN to use.)
./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass
1. Generate server certificate and key.
(build-server-full [filename]: Generate a keypair and sign locally for a client or server)
`./easyrsa --subject-alt-name="${MASTER_IP}" build-server-full kubernetes-master nopass`
1. Copy /pki/ca.crt /pki/issued/kubernetes-master.crt
/pki/private/kubernetes-master.key to your directory.
./easyrsa --subject-alt-name="IP:${MASTER_IP}" build-server-full kubernetes-master nopass
1. Copy `pki/ca.crt` `pki/issued/kubernetes-master.crt`
`pki/private/kubernetes-master.key` to your directory.
1. Remember fill the parameters
`--client-ca-file=/yourdirectory/ca.crt`
`--tls-cert-file=/yourdirectory/server.cert`
@ -137,6 +141,7 @@ into apiserver start parameters.
and add these into apiserver start parameters.
**openssl** can also be use to manually generate certificates for your cluster.
1. Generate a ca.key with 2048bit
`openssl genrsa -out ca.key 2048`
1. According to the ca.key generate a ca.crt. (-days set the certificate effective time).