本文介绍了kubernetes:通过kops部署时的CA文件的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我已经使用kops在aws上创建了一个群集.
I have created a cluster on aws using kops.
但是我找不到证书颁发机构用作/派生客户端证书的文件.
However I am unable to find the file used as/by the certificate authority for spawning off client certs.
kops是否默认创建这样的东西?
Does kops create such a thing by default?
如果是,建议的创建客户端证书的过程是什么?
If so, what is the recommended process for creating client certs?
kops文档不太清楚.
推荐答案
我已经做到了过去:
- 从S3下载
kops生成的CA证书和签名密钥:-
s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/private/ca/*.key -
s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/issued/ca/*.crt
-
- Download the
kops-generated CA certificate and signing key from S3:s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/private/ca/*.keys3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/issued/ca/*.crt
生成CSR:
openssl req -new \
-key client-key.pem \
-out client-csr.pem \
-subj "/CN=<CLIENT_CN>/O=dev"`
生成客户端证书:
Generate a client certificate:
openssl x509 -req \
-in client-csr.pem \
-CA <PATH_TO_DOWNLOADED_CA_CERT> \
-CAkey <PATH_TO_DOWNLOADED_CA_KEY> \
-CAcreateserial \
-out client-crt.pem \
-days 10000
config.yml中填充这些值,例如此 config.yml分发给您的开发人员.config.yml, e.g. thisconfig.yml to your developers. 5和6显然可以通过任何方式分发,而不必为开发人员制作config.yml.
5 and 6 can obviously be distributed by whatever means you want, don't need to make the config.yml for your developers.
这篇关于kubernetes:通过kops部署时的CA文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!