mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

update docs

pull/1/head
Kelsey Hightower 2016-07-07 07:57:18 -07:00
parent 15e824c1af
commit 2eb67b234d
1 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
docs/certificate-authority.md
View File

@ -8,7 +8,9 @@ This lab will setup a Certificate Authority and generated a single set of TLS ce
* Kubernetes API Server * Kubernetes API Server
* Kubernetes Kubelet * Kubernetes Kubelet
In production you should strongly consider generating individual TLS certificates for each component. > In production you should strongly consider generating individual TLS certificates for each component.
The TLS certificates in this lab will be copied to each machine running a Kubernetes components.
## Install CFSSL ## Install CFSSL
@ -71,14 +73,15 @@ ca.csr
ca.pem ca.pem
``` ```
### Verification
``` ```
openssl x509 -in ca.pem -text -noout openssl x509 -in ca.pem -text -noout
``` ```
## Generate Server and Client Certs ## Generate the single Kubernetes TLS Cert
### Generate the kube-apiserver server cert
In this section we will generate a TLS certificate that will be valid for all Kubernetes components. This is being done for ease of use. In production you should strongly consider generating individual TLS certificates for each component.
``` ```
echo '{ echo '{
@ -121,6 +124,16 @@ cfssl gencert \
kubernetes-csr.json | cfssljson -bare kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
``` ```
Results:
```
kubernetes-key.pem
kubernetes.csr
kubernetes.pem
```
### Verification
``` ```
openssl x509 -in kubernetes.pem -text -noout openssl x509 -in kubernetes.pem -text -noout
``` ```