Using a custom certificate authority

Background Info

When deploying a kops based Kubernetes cluster, kops will generate a certificate authority keypair for signing various certificates with. In some cases, you may want to provide your own CA keypair.

Another use case would be to use the CA keypair of another cluster if you are creating many short lived clusters and don’t want to create a unique CA for each one.

Building a cluster with a custom CA

The following procedure will allow you to override the CA when creating a cluster. For the sake of this example, you have two files ca.crt and ca.key.

cluster-name.com should be the cluster name you put in the cluster.yaml

  1. kops create -f cluster.yaml
  2. kops create secret ca --primary --cert ca.crt --key ca.key --name cluster-name.com
  3. kops update cluster --yes
  1. First we create the cluster folder structure in the statestore.
  2. Second, we create a Secret of type Keypair with the name ca and provide our own values.
  3. Lastly, we run kops update cluster --yes, which will generate all the certificates needed, referencing the Secret called ca we just defined (versus generating its own).

Using a previous kops cluster CA

In some cases you will want to create a cluster and use the CA generated in a previous kops cluster. To do so, you will need to copy the CA files from the state store, and then use them as values in the above procedure.

The files are located as follows:

s3://state-store/<cluster-name>/pki/issued/ca/<id>.crt

s3://state-store/<cluster-name>/pki/private/ca/<id>.key