Using a custom certificate authority

Background Info

When deploying a kops based Kubernetes cluster, kops will generate a certificate authority keypair for signingvarious certificates with. In some cases, you may want to provide your own CA keypair.

Another use case would be to use the CA keypair of another cluster if you are creating manyshort lived clusters and don't want to create a unique CA for each one.

Building a cluster with a custom CA

The following procedure will allow you to override the CA when creating a cluster. For the sake of this example, you have two filesca.crt and ca.key.

cluster-name.com should be the cluster name you put in the cluster.yaml

  1. kops create -f cluster.yaml
  2. kops create secret keypair ca --cert ca.crt --key ca.key --name cluster-name.com
  3. kops update cluster --yes
  • First we create the cluster folder structure in the statestore.
  • Second, we create a Secret of type Keypair with the name ca and provide our own values.
  • Lastly, we run kops update cluster —yes, which will generate all the certificates needed, referencing the Secret called ca we just defined (versus generating its own).

Using a previous kops cluster CA

In some cases you will want to create a cluster and use the CA generated in a previous kops cluster.To do so, you will need to copy the CA files from the state store, and then use them as values in the above procedure.

The files are located as follows:

s3://state-store/<cluster-name>/pki/issued/ca/<id>.crt

s3://state-store/<cluster-name>/pki/private/ca/<id>.key