From c17977b6dd10473bb60dd4dda7956c318e6f1c75 Mon Sep 17 00:00:00 2001 From: qiaolei Date: Fri, 28 Aug 2015 09:16:05 +0800 Subject: [PATCH 1/2] Amend two markdown errors in authentication.md Amend two markdown errors in authentication.md. 1, amend order list display error by enter a newline after the first sentence 2, add two backticks to make ``"@`date +%s`"`` display correctly --- docs/admin/authentication.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/admin/authentication.md b/docs/admin/authentication.md index a09db1d9303..f9c30af3a0b 100644 --- a/docs/admin/authentication.md +++ b/docs/admin/authentication.md @@ -118,13 +118,14 @@ Finally, add these parameters into apiserver start parameters. **easyrsa** can be used to manually generate certificates for your cluster. + 1. Download, unpack, and initialize the patched version of easyrsa3. `curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz` `tar xzf easy-rsa.tar.gz` `cd easy-rsa-master/easyrsa3` `./easyrsa init-pki` 1. Generate a CA. (--batch set automatic mode. --req-cn default CN to use.) - `./easyrsa --batch "--req-cn=${MASTER_IP}@date +%s" build-ca nopass` + ``./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass`` 1. Generate server certificate and key. (build-server-full [filename]: Generate a keypair and sign locally for a client or server) `./easyrsa --subject-alt-name="${MASTER_IP}" build-server-full kubernetes-master nopass` @@ -137,6 +138,7 @@ into apiserver start parameters. and add these into apiserver start parameters. **openssl** can also be use to manually generate certificates for your cluster. + 1. Generate a ca.key with 2048bit `openssl genrsa -out ca.key 2048` 1. According to the ca.key generate a ca.crt. (-days set the certificate effective time). From 29625a9ffe1ace8d6135cd97b19a96174ea09b6c Mon Sep 17 00:00:00 2001 From: qiaolei Date: Sat, 29 Aug 2015 11:27:26 +0800 Subject: [PATCH 2/2] Fix Jenkins GCE e2e failure and other errors in APPENDIX easyrsa section Modifications are as following(`APPENDIX` -> `**easyrsa**`): 1, fix Jenkins GCE e2e failure, mainly for markdown errors; 2, change `"${MASTER_IP}"` to `"IP:${MASTER_IP}"` to keep align with `make-ca-cert.sh` 3, change `/pki/` to `pki/` for the generated certs/key 4, other tiny improvements Please check, thanks. --- docs/admin/authentication.md | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/docs/admin/authentication.md b/docs/admin/authentication.md index f9c30af3a0b..ebb11e8d245 100644 --- a/docs/admin/authentication.md +++ b/docs/admin/authentication.md @@ -120,17 +120,20 @@ into apiserver start parameters. **easyrsa** can be used to manually generate certificates for your cluster. 1. Download, unpack, and initialize the patched version of easyrsa3. - `curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz` - `tar xzf easy-rsa.tar.gz` - `cd easy-rsa-master/easyrsa3` - `./easyrsa init-pki` -1. Generate a CA. (--batch set automatic mode. --req-cn default CN to use.) - ``./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass`` + + curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz + tar xzf easy-rsa.tar.gz + cd easy-rsa-master/easyrsa3 + ./easyrsa init-pki +1. Generate a CA. (`--batch` set automatic mode. `--req-cn` default CN to use.) + + ./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass 1. Generate server certificate and key. (build-server-full [filename]: Generate a keypair and sign locally for a client or server) - `./easyrsa --subject-alt-name="${MASTER_IP}" build-server-full kubernetes-master nopass` -1. Copy /pki/ca.crt /pki/issued/kubernetes-master.crt - /pki/private/kubernetes-master.key to your directory. + + ./easyrsa --subject-alt-name="IP:${MASTER_IP}" build-server-full kubernetes-master nopass +1. Copy `pki/ca.crt` `pki/issued/kubernetes-master.crt` + `pki/private/kubernetes-master.key` to your directory. 1. Remember fill the parameters `--client-ca-file=/yourdirectory/ca.crt` `--tls-cert-file=/yourdirectory/server.cert`