Example configs for using external Certificates

[rambo45]

When using Kubeadm generated CA certs, all kubectl commands fail due to unknown signing CA. Documentation for using External CA is not clear, please provide examples

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[timothysc]

/assign @liztio

/cc @stealthybox

[liztio]

/active

[liztio]

There's a bunch of different parts to fixing this.

1. Better documentation around what certs are required for kubeadm to work without a CA. Jason's got a good gist on this
2. Document pitfalls of doing this (cert rotation etc)
3. Better error messages when not all those certs are present. Currently we just fall back on "no ca key found" when we miss anything
4. Specify how to create a kubeconfig from your own CA and the server's credentials (possibly using kubectl)

[liztio]

Spoke to @Bradamant3, we both agree a list of certs required and the hierarchy needed would be useful to more than just kubeadm. I'm going to make that list, which will also function as documentation for kubeadm, commit it upstream, and then link from our kubeadm docs.

[liztio]

initial PR for certificate documentation added to k8s/website

[liztio]

Working on part 3. Copied from #sig-cluster-lifecycle:

I'm working on the external CA logic. Right now the logic is:

1. Check if all required external certs are presents. If they are not, continue:
2. For every CA pair, see if the pair already exists. If only the key or only the cert exist, error. if both exist, continue: if neither exist, create them and continue:
3. Generate certificates using those CAs
   this means, for example, if you send an external CA, but not all the required client/server certificates, a relatively obtuse error message occurs
   failure loading ca certificate: couldn't load the private key file /etc/kubernetes/pki/ca.key: open /etc/kubernetes/pki/ca.key: no such file or directory
   I'm trying to figure out what is least surprising to do here, because the current thing is pretty surprising / unhelpful

[luxas]

@timothysc I think we should classify this as a bug (well it is), and target v1.11

[ghost]

Hi,

Per questions from #sig-cluster-lifecycle, I wonder if there's a 1-on-1 mapping reference documentation for certificate and keys generated from kubeadm alpha phase certs all versus Kelsey Hightower Kubernetes the hard way, as a smoke test.

Currently the use case is, to verify an engineer handcrafted Kubernetes cluster, we have to handcraft another one to verify each step correctness. Maybe there's some way could verify this full automatically, we are willing to know. The ideal goal is, the certs and keys generated from Kelsey's tutorial shall be interchangeable with those from kubeadm, in both ways.

Thanks.