Using a custom certificate authority
Background Info
When deploying a kops
based Kubernetes cluster, kops
will generate a certificate authority keypair for signing various certificates with. In some cases, you may want to provide your own CA keypair.
Another use case would be to use the CA keypair of another cluster if you are creating many short lived clusters and don’t want to create a unique CA for each one.
Building a cluster with a custom CA
The following procedure will allow you to override the CA when creating a cluster. For the sake of this example, you have two files ca.crt
and ca.key
.
cluster-name.com
should be the cluster name you put in thecluster.yaml
kops create -f cluster.yaml
kops create secret ca --primary --cert ca.crt --key ca.key --name cluster-name.com
kops update cluster --yes
- First we create the cluster folder structure in the statestore.
- Second, we create a
Secret
of typeKeypair
with the nameca
and provide our own values. - Lastly, we run
kops update cluster --yes
, which will generate all the certificates needed, referencing theSecret
calledca
we just defined (versus generating its own).
Using a previous kops
cluster CA
In some cases you will want to create a cluster and use the CA generated in a previous kops
cluster. To do so, you will need to copy the CA files from the state store, and then use them as values in the above procedure.
The files are located as follows:
s3://state-store/<cluster-name>/pki/issued/ca/<id>.crt
s3://state-store/<cluster-name>/pki/private/ca/<id>.key