diff --git a/docs/custom_ca.md b/docs/custom_ca.md new file mode 100644 index 0000000000000..98341fb1a2810 --- /dev/null +++ b/docs/custom_ca.md @@ -0,0 +1,37 @@ +# Using a custom certificate authority + +## Background Info + +When deploying a `kops` based Kubernetes cluster, `kops` will generate a certificate authority keypair for signing +various certificates with. In some cases, you may want to provide your own CA keypair. + +Another use case would be to use the CA keypair of another cluster if you are creating many +short lived clusters and don't want to create a unique CA for each one. + +### Building a cluster with a custom CA + +The following procedure will allow you to override the CA when creating a cluster. For the sake of this example, you have two files +`ca.crt` and `ca.key`. + +>`cluster-name.com` should be the cluster name you put in the `cluster.yaml` + +```bash +kops create -f cluster.yaml +kops create secret keypair ca --cert ca.crt --key ca.key --name cluster-name.com +kops update cluster --yes +``` + +1. First we create the cluster folder structure in the statestore. +2. Second, we create a `Secret` of type `Keypair` with the name `ca` and provide our own values. +3. Lastly, we run `kops update cluster --yes`, which will generate all the certificates needed, referencing the `Secret` called `ca` we just defined (versus generating its own). + +### Using a previous `kops` cluster CA + +In some cases you will want to create a cluster and use the CA generated in a previous `kops` cluster. +To do so, you will need to copy the CA files from the state store, and then use them as values in the above procedure. + +The files are located as follows: + +`s3://state-store//pki/issued/ca/.crt` + +`s3://state-store//pki/private/ca/.key`