Skip to content

Commit

Permalink
kubeadm: promote the "kubeadm certs" command to GA (#24410)
Browse files Browse the repository at this point in the history 
The command resided under "kubeadm alpha certs".
It will be promoted to GA in 1.20 as "kubeadm certs".

The existing command "kubeadm alpha" will
remain present for one more release, but it will be hidden
from documentation as it is deprecated.
  • Loading branch information
@neolit123
neolit123 committed Nov 12, 2020
1 parent 68898b0 commit d0c6d30
Show file tree
Hide file tree
Showing 21 changed files with 102 additions and 88 deletions.
0 .../kubeadm/generated/kubeadm_alpha_certs.md → ...-tools/kubeadm/generated/kubeadm_certs.md
View file
File renamed without changes.
2 changes: 1 addition & 1 deletion ...ed/kubeadm_alpha_certs_certificate-key.md → ...enerated/kubeadm_certs_certificate-key.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ generate and print one for you.


```
kubeadm alpha certs certificate-key [flags]
kubeadm certs certificate-key [flags]
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion ...d/kubeadm_alpha_certs_check-expiration.md → ...nerated/kubeadm_certs_check-expiration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
Checks expiration for the certificates in the local PKI managed by kubeadm.

```
kubeadm alpha certs check-expiration [flags]
kubeadm certs check-expiration [flags]
```

### Options
Expand Down
4 changes: 2 additions & 2 deletions ...rated/kubeadm_alpha_certs_generate-csr.md → ...m/generated/kubeadm_certs_generate-csr.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ This command is designed for use in [Kubeadm External CA Mode](https://kubernete
The PEM encoded signed certificates should then be saved alongside the key files, using ".crt" as the file extension, or in the case of kubeconfig files, the PEM encoded signed certificate should be base64 encoded and added to the kubeconfig file in the "users > user > client-certificate-data" field.

```
kubeadm alpha certs generate-csr [flags]
kubeadm certs generate-csr [flags]
```

### Examples

```
# The following command will generate keys and CSRs for all control-plane certificates and kubeconfig files:
kubeadm alpha certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s/pki
kubeadm certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s/pki
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion ...dm/generated/kubeadm_alpha_certs_renew.md → .../kubeadm/generated/kubeadm_certs_renew.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
This command is not meant to be run on its own. See list of available subcommands.

```
kubeadm alpha certs renew [flags]
kubeadm certs renew [flags]
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion ...d/kubeadm_alpha_certs_renew_admin.conf.md → ...nerated/kubeadm_certs_renew_admin.conf.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

```
kubeadm alpha certs renew admin.conf [flags]
kubeadm certs renew admin.conf [flags]
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion ...enerated/kubeadm_alpha_certs_renew_all.md → ...eadm/generated/kubeadm_certs_renew_all.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
Renew all known certificates necessary to run the control plane. Renewals are run unconditionally, regardless of expiration date. Renewals can also be run individually for more control.

```
kubeadm alpha certs renew all [flags]
kubeadm certs renew all [flags]
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion ...lpha_certs_renew_apiserver-etcd-client.md → ...eadm_certs_renew_apiserver-etcd-client.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

```
kubeadm alpha certs renew apiserver-etcd-client [flags]
kubeadm certs renew apiserver-etcd-client [flags]
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion ...a_certs_renew_apiserver-kubelet-client.md → ...m_certs_renew_apiserver-kubelet-client.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

```
kubeadm alpha certs renew apiserver-kubelet-client [flags]
kubeadm certs renew apiserver-kubelet-client [flags]
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion ...ed/kubeadm_alpha_certs_renew_apiserver.md → ...enerated/kubeadm_certs_renew_apiserver.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

```
kubeadm alpha certs renew apiserver [flags]
kubeadm certs renew apiserver [flags]
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion ...ha_certs_renew_controller-manager.conf.md → ...dm_certs_renew_controller-manager.conf.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

```
kubeadm alpha certs renew controller-manager.conf [flags]
kubeadm certs renew controller-manager.conf [flags]
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion ...ha_certs_renew_etcd-healthcheck-client.md → ...dm_certs_renew_etcd-healthcheck-client.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

```
kubeadm alpha certs renew etcd-healthcheck-client [flags]
kubeadm certs renew etcd-healthcheck-client [flags]
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion ...ed/kubeadm_alpha_certs_renew_etcd-peer.md → ...enerated/kubeadm_certs_renew_etcd-peer.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

```
kubeadm alpha certs renew etcd-peer [flags]
kubeadm certs renew etcd-peer [flags]
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion .../kubeadm_alpha_certs_renew_etcd-server.md → ...erated/kubeadm_certs_renew_etcd-server.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

```
kubeadm alpha certs renew etcd-server [flags]
kubeadm certs renew etcd-server [flags]
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion ...m_alpha_certs_renew_front-proxy-client.md → ...kubeadm_certs_renew_front-proxy-client.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

```
kubeadm alpha certs renew front-proxy-client [flags]
kubeadm certs renew front-proxy-client [flags]
```

### Options
Expand Down
2 changes: 1 addition & 1 deletion ...beadm_alpha_certs_renew_scheduler.conf.md → ...ted/kubeadm_certs_renew_scheduler.conf.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

```
kubeadm alpha certs renew scheduler.conf [flags]
kubeadm certs renew scheduler.conf [flags]
```

### Options
Expand Down
59 changes: 0 additions & 59 deletions content/en/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@
---
reviewers:
- luxas
- jbeda
title: kubeadm alpha
content_type: concept
weight: 90
Expand All @@ -12,62 +9,6 @@ weight: 90
from the community. Please try it out and give us feedback!
{{< /caution >}}

## kubeadm alpha certs {#cmd-certs}

A collection of operations for operating Kubernetes certificates.

{{< tabs name="tab-certs" >}}
{{< tab name="overview" include="generated/kubeadm_alpha_certs.md" />}}
{{< /tabs >}}

## kubeadm alpha certs renew {#cmd-certs-renew}

You can renew all Kubernetes certificates using the `all` subcommand or renew them selectively.
For more details about certificate expiration and renewal see the [certificate management documentation](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/).

{{< tabs name="tab-certs-renew" >}}
{{< tab name="renew" include="generated/kubeadm_alpha_certs_renew.md" />}}
{{< tab name="all" include="generated/kubeadm_alpha_certs_renew_all.md" />}}
{{< tab name="admin.conf" include="generated/kubeadm_alpha_certs_renew_admin.conf.md" />}}
{{< tab name="apiserver-etcd-client" include="generated/kubeadm_alpha_certs_renew_apiserver-etcd-client.md" />}}
{{< tab name="apiserver-kubelet-client" include="generated/kubeadm_alpha_certs_renew_apiserver-kubelet-client.md" />}}
{{< tab name="apiserver" include="generated/kubeadm_alpha_certs_renew_apiserver.md" />}}
{{< tab name="controller-manager.conf" include="generated/kubeadm_alpha_certs_renew_controller-manager.conf.md" />}}
{{< tab name="etcd-healthcheck-client" include="generated/kubeadm_alpha_certs_renew_etcd-healthcheck-client.md" />}}
{{< tab name="etcd-peer" include="generated/kubeadm_alpha_certs_renew_etcd-peer.md" />}}
{{< tab name="etcd-server" include="generated/kubeadm_alpha_certs_renew_etcd-server.md" />}}
{{< tab name="front-proxy-client" include="generated/kubeadm_alpha_certs_renew_front-proxy-client.md" />}}
{{< tab name="scheduler.conf" include="generated/kubeadm_alpha_certs_renew_scheduler.conf.md" />}}
{{< /tabs >}}

## kubeadm alpha certs certificate-key {#cmd-certs-certificate-key}

This command can be used to generate a new control-plane certificate key.
The key can be passed as `--certificate-key` to `kubeadm init` and `kubeadm join`
to enable the automatic copy of certificates when joining additional control-plane nodes.

{{< tabs name="tab-certs-certificate-key" >}}
{{< tab name="certificate-key" include="generated/kubeadm_alpha_certs_certificate-key.md" />}}
{{< /tabs >}}

## kubeadm alpha certs generate-csr {#cmd-certs-generate-csr}

This command can be used to generate certificate signing requests (CSRs) which
can be submitted to a certificate authority (CA) for signing.

{{< tabs name="tab-certs-generate-csr" >}}
{{< tab name="certificate-generate-csr" include="generated/kubeadm_alpha_certs_generate-csr.md" />}}
{{< /tabs >}}

## kubeadm alpha certs check-expiration {#cmd-certs-check-expiration}

This command checks expiration for the certificates in the local PKI managed by kubeadm.
For more details about certificate expiration and renewal see the [certificate management documentation](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/).

{{< tabs name="tab-certs-check-expiration" >}}
{{< tab name="check-expiration" include="generated/kubeadm_alpha_certs_check-expiration.md" />}}
{{< /tabs >}}

## kubeadm alpha kubeconfig user {#cmd-phase-kubeconfig}

The `user` subcommand can be used for the creation of kubeconfig files for additional users.
Expand Down
73 changes: 73 additions & 0 deletions content/en/docs/reference/setup-tools/kubeadm/kubeadm-certs.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
---
title: kubeadm certs
content_type: concept
weight: 90
---

`kubeadm certs` provides utilities for managing certificates.
For more details on how these commands can be used, see
[Certificate Management with kubeadm](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/).

## kubeadm certs {#cmd-certs}

A collection of operations for operating Kubernetes certificates.

{{< tabs name="tab-certs" >}}
{{< tab name="overview" include="generated/kubeadm_certs.md" />}}
{{< /tabs >}}

## kubeadm certs renew {#cmd-certs-renew}

You can renew all Kubernetes certificates using the `all` subcommand or renew them selectively.
For more details see [Manual certificate renewal](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal).

{{< tabs name="tab-certs-renew" >}}
{{< tab name="renew" include="generated/kubeadm_certs_renew.md" />}}
{{< tab name="all" include="generated/kubeadm_certs_renew_all.md" />}}
{{< tab name="admin.conf" include="generated/kubeadm_certs_renew_admin.conf.md" />}}
{{< tab name="apiserver-etcd-client" include="generated/kubeadm_certs_renew_apiserver-etcd-client.md" />}}
{{< tab name="apiserver-kubelet-client" include="generated/kubeadm_certs_renew_apiserver-kubelet-client.md" />}}
{{< tab name="apiserver" include="generated/kubeadm_certs_renew_apiserver.md" />}}
{{< tab name="controller-manager.conf" include="generated/kubeadm_certs_renew_controller-manager.conf.md" />}}
{{< tab name="etcd-healthcheck-client" include="generated/kubeadm_certs_renew_etcd-healthcheck-client.md" />}}
{{< tab name="etcd-peer" include="generated/kubeadm_certs_renew_etcd-peer.md" />}}
{{< tab name="etcd-server" include="generated/kubeadm_certs_renew_etcd-server.md" />}}
{{< tab name="front-proxy-client" include="generated/kubeadm_certs_renew_front-proxy-client.md" />}}
{{< tab name="scheduler.conf" include="generated/kubeadm_certs_renew_scheduler.conf.md" />}}
{{< /tabs >}}

## kubeadm certs certificate-key {#cmd-certs-certificate-key}

This command can be used to generate a new control-plane certificate key.
The key can be passed as `--certificate-key` to [`kubeadm init`](/docs/reference/setup-tools/kubeadm/kubeadm-init)
and [`kubeadm join`](/docs/reference/setup-tools/kubeadm/kubeadm-join)
to enable the automatic copy of certificates when joining additional control-plane nodes.

{{< tabs name="tab-certs-certificate-key" >}}
{{< tab name="certificate-key" include="generated/kubeadm_certs_certificate-key.md" />}}
{{< /tabs >}}

## kubeadm certs check-expiration {#cmd-certs-check-expiration}

This command checks expiration for the certificates in the local PKI managed by kubeadm.
For more details see
[Check certificate expiration](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#check-certificate-expiration).

{{< tabs name="tab-certs-check-expiration" >}}
{{< tab name="check-expiration" include="generated/kubeadm_certs_check-expiration.md" />}}
{{< /tabs >}}

## kubeadm certs generate-csr {#cmd-certs-generate-csr}

This command can be used to generate keys and CSRs for all control-plane certificates and kubeconfig files.
The user can then sign the CSRs with a CA of their choice.

{{< tabs name="tab-certs-generate-csr" >}}
{{< tab name="generate-csr" include="generated/kubeadm_certs_generate-csr.md" />}}
{{< /tabs >}}

## {{% heading "whatsnext" %}}

* [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) to bootstrap a Kubernetes control-plane node
* [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) to connect a node to the cluster
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
4 changes: 2 additions & 2 deletions content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,7 @@ If the flag `--certificate-key` is not passed to `kubeadm init` and
The following command can be used to generate a new key on demand:

```shell
kubeadm alpha certs certificate-key
kubeadm certs certificate-key
```

### Certificate management with kubeadm
Expand Down Expand Up @@ -246,7 +246,7 @@ or use a DNS name or an address of a load balancer.
nodes. The key can be generated using:

```shell
kubeadm alpha certs certificate-key
kubeadm certs certificate-key
```

Once the cluster is up, you can grab the admin credentials from the control-plane node
Expand Down
6 changes: 3 additions & 3 deletions content/en/docs/setup/production-environment/tools/kubeadm/high-availability.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,10 +133,10 @@ option. Your cluster requirements may need a different configuration.
...
You can now join any number of control-plane node by running the following command on each as a root:
kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866 --control-plane --certificate-key f8902e114ef118304e561c3ecd4d0b543adc226b7a07f675f56564185ffe0c07

Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use kubeadm init phase upload-certs to reload certs afterward.

Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866
```
Expand All @@ -155,7 +155,7 @@ option. Your cluster requirements may need a different configuration.
To generate such a key you can use the following command:

```sh
kubeadm alpha certs certificate-key
kubeadm certs certificate-key
```

{{< note >}}
Expand Down
16 changes: 8 additions & 8 deletions content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ setting up a cluster to use an external CA.
You can use the `check-expiration` subcommand to check when certificates expire:

```
kubeadm alpha certs check-expiration
kubeadm certs check-expiration
```

The output is similar to this:
Expand Down Expand Up @@ -120,7 +120,7 @@ command. In that case, you should explicitly set `--certificate-renewal=true`.

## Manual certificate renewal

You can renew your certificates manually at any time with the `kubeadm alpha certs renew` command.
You can renew your certificates manually at any time with the `kubeadm certs renew` command.

This command performs the renewal using CA (or front-proxy-CA) certificate and key stored in `/etc/kubernetes/pki`.

Expand All @@ -129,10 +129,10 @@ If you are running an HA cluster, this command needs to be executed on all the c
{{< /warning >}}

{{< note >}}
`alpha certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
`certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
{{< /note >}}

`kubeadm alpha certs renew` provides the following options:
`kubeadm certs renew` provides the following options:

The Kubernetes certificates normally reach their expiration date after one year.

Expand Down Expand Up @@ -170,14 +170,14 @@ controllerManager:

### Create certificate signing requests (CSR)

You can create the certificate signing requests for the Kubernetes certificates API with `kubeadm alpha certs renew --use-api`.
You can create the certificate signing requests for the Kubernetes certificates API with `kubeadm certs renew --use-api`.

If you set up an external signer such as [cert-manager](https://github.com/jetstack/cert-manager), certificate signing requests (CSRs) are automatically approved.
Otherwise, you must manually approve certificates with the [`kubectl certificate`](/docs/setup/best-practices/certificates/) command.
The following kubeadm command outputs the name of the certificate to approve, then blocks and waits for approval to occur:

```shell
sudo kubeadm alpha certs renew apiserver --use-api &
sudo kubeadm certs renew apiserver --use-api &
```
The output is similar to this:
```
Expand Down Expand Up @@ -211,13 +211,13 @@ In kubeadm terms, any certificate that would normally be signed by an on-disk CA

### Create certificate signing requests (CSR)

You can create certificate signing requests with `kubeadm alpha certs renew --csr-only`.
You can create certificate signing requests with `kubeadm certs renew --csr-only`.

Both the CSR and the accompanying private key are given in the output.
You can pass in a directory with `--csr-dir` to output the CSRs to the specified location.
If `--csr-dir` is not specified, the default certificate directory (`/etc/kubernetes/pki`) is used.

Certificates can be renewed with `kubeadm alpha certs renew --csr-only`.
Certificates can be renewed with `kubeadm certs renew --csr-only`.
As with `kubeadm init`, an output directory can be specified with the `--csr-dir` flag.

A CSR contains a certificate's name, domains, and IPs, but it does not specify usages.
Expand Down

0 comments on commit d0c6d30

Please sign in to comment.