1OC ADM CA(1)                       June 2016                      OC ADM CA(1)
2
3
4

NAME

6       oc adm ca create-master-certs - Create certificates and keys for a mas‐
7       ter
8
9
10

SYNOPSIS

12       oc adm ca create-master-certs [OPTIONS]
13
14
15

DESCRIPTION

17       Create keys and certificates for a master
18
19
20       This command creates keys and certs necessary to run a  secure  master.
21       It  also  creates  keys,  certificates, and configuration necessary for
22       most related infrastructure components that are clients to the  master.
23       See  the  related  "create-node-config" command for generating per-node
24       config.
25
26
27       All files are expected or  created  in  standard  locations  under  the
28       cert-dir.
29
30
31       openshift.local.config/master/
32             ca.{crt,key,serial.txt}
33             master.server.{crt,key}
34             admin.{crt,key,kubeconfig}
35             ...
36
37
38       Note  that  the certificate authority (CA aka "signer") generated auto‐
39       matically is self-signed. In production usage, administrators are  more
40       likely  to  want to generate signed certificates separately rather than
41       rely on a generated CA. Alternatively, start with an existing signed CA
42       and have this command use it to generate valid certificates.
43
44
45       This  command  would  usually only be used once at installation. If you
46       need to regenerate the master server cert, DO NOT  use  --overwrite  as
47       this  would  recreate ALL certs including the CA cert, invalidating any
48       existing infrastructure or client configuration. Instead, delete/rename
49       the existing server cert and run the command to fill it in:
50
51
52       mv openshift.local.config/master/master.server.crt{,.old}
53         oc adm ca create-master-certs --cert-dir=... \
54                 --master= ⟨https://internal.master.fqdn:8443⟩ \
55                 --public-master= ⟨https://external.master.fqdn:8443⟩ \
56                 --hostnames=external.master.fqdn,internal.master.fqdn,local‐
57       host,127.0.0.1,172.17.42.1,kubernetes.default.local
58
59
60       Alternatively, use  the  related  "ca  create-server-cert"  command  to
61       explicitly create a certificate.
62
63
64       Regardless  of  --overwrite, the master server key/cert will be updated
65       if --hostnames does not match the current  certificate.  Regardless  of
66       --overwrite,  .kubeconfig files will be updated every time this command
67       is run, so always specify --master (and  if  needed,  --public-master).
68       This  is  designed  to  match  the  behavior  of "start" which rewrites
69       certs/confs for certain configuration changes.
70
71
72

OPTIONS

74       --cert-dir="openshift.local.config/master"
75           The certificate data directory.
76
77
78       --expire-days=730
79           Validity of the certificates in days (defaults to 2  years).  WARN‐
80       ING: extending this above default value is highly discouraged.
81
82
83       --hostnames=[]
84           Every  hostname  or  IP  that  server  certs  should  be  valid for
85       (comma-delimited list)
86
87
88       --master=" ⟨https://localhost:8443"⟩
89           The API server's URL.
90
91
92       --overwrite=false
93           Overwrite all existing  cert/key/config  files  (WARNING:  includes
94       signer/CA)
95
96
97       --public-master=""
98           The API public facing server's URL (if applicable).
99
100
101       --signer-expire-days=1825
102           Validity of the CA certificate in days (defaults to 5 years). WARN‐
103       ING: extending this above default value is highly discouraged.
104
105
106       --signer-name="openshift-signer@<current_timestamp>"
107           The name to use for the generated signer.
108
109
110

OPTIONS INHERITED FROM PARENT COMMANDS

112       --allow_verification_with_non_compliant_keys=false
113           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
114       non-compliant with RFC6962.
115
116
117       --alsologtostderr=false
118           log to standard error as well as files
119
120
121       --application_metrics_count_limit=100
122           Max number of application metrics to store (per container)
123
124
125       --as=""
126           Username to impersonate for the operation
127
128
129       --as-group=[]
130           Group  to  impersonate for the operation, this flag can be repeated
131       to specify multiple groups.
132
133
134       --azure-container-registry-config=""
135           Path to the file containing Azure container registry  configuration
136       information.
137
138
139       --boot_id_file="/proc/sys/kernel/random/boot_id"
140           Comma-separated  list  of files to check for boot-id. Use the first
141       one that exists.
142
143
144       --cache-dir="/builddir/.kube/http-cache"
145           Default HTTP cache directory
146
147
148       --certificate-authority=""
149           Path to a cert file for the certificate authority
150
151
152       --client-certificate=""
153           Path to a client certificate file for TLS
154
155
156       --client-key=""
157           Path to a client key file for TLS
158
159
160       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
161           CIDRs opened in GCE firewall for LB traffic proxy  health checks
162
163
164       --cluster=""
165           The name of the kubeconfig cluster to use
166
167
168       --container_hints="/etc/cadvisor/container_hints.json"
169           location of the container hints file
170
171
172       --containerd="unix:///var/run/containerd.sock"
173           containerd endpoint
174
175
176       --context=""
177           The name of the kubeconfig context to use
178
179
180       --default-not-ready-toleration-seconds=300
181           Indicates    the    tolerationSeconds   of   the   toleration   for
182       notReady:NoExecute that is added by default to every pod that does  not
183       already have such a toleration.
184
185
186       --default-unreachable-toleration-seconds=300
187           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
188       able:NoExecute that is added by default to  every  pod  that  does  not
189       already have such a toleration.
190
191
192       --docker="unix:///var/run/docker.sock"
193           docker endpoint
194
195
196       --docker-tls=false
197           use TLS to connect to docker
198
199
200       --docker-tls-ca="ca.pem"
201           path to trusted CA
202
203
204       --docker-tls-cert="cert.pem"
205           path to client certificate
206
207
208       --docker-tls-key="key.pem"
209           path to private key
210
211
212       --docker_env_metadata_whitelist=""
213           a  comma-separated  list of environment variable keys that needs to
214       be collected for docker containers
215
216
217       --docker_only=false
218           Only report docker containers in addition to root stats
219
220
221       --docker_root="/var/lib/docker"
222           DEPRECATED: docker root is read from docker info (this is  a  fall‐
223       back, default: /var/lib/docker)
224
225
226       --enable_load_reader=false
227           Whether to enable cpu load reader
228
229
230       --event_storage_age_limit="default=24h"
231           Max length of time for which to store events (per type). Value is a
232       comma separated list of key values, where  the  keys  are  event  types
233       (e.g.: creation, oom) or "default" and the value is a duration. Default
234       is applied to all non-specified event types
235
236
237       --event_storage_event_limit="default=100000"
238           Max number of events to store (per type). Value is  a  comma  sepa‐
239       rated  list  of  key values, where the keys are event types (e.g.: cre‐
240       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
241       applied to all non-specified event types
242
243
244       --global_housekeeping_interval=0
245           Interval between global housekeepings
246
247
248       --housekeeping_interval=0
249           Interval between container housekeepings
250
251
252       --insecure-skip-tls-verify=false
253           If true, the server's certificate will not be checked for validity.
254       This will make your HTTPS connections insecure
255
256
257       --kubeconfig=""
258           Path to the kubeconfig file to use for CLI requests.
259
260
261       --log-flush-frequency=0
262           Maximum number of seconds between log flushes
263
264
265       --log_backtrace_at=:0
266           when logging hits line file:N, emit a stack trace
267
268
269       --log_cadvisor_usage=false
270           Whether to log the usage of the cAdvisor container
271
272
273       --log_dir=""
274           If non-empty, write log files in this directory
275
276
277       --logtostderr=true
278           log to standard error instead of files
279
280
281       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
282           Comma-separated list of files to  check  for  machine-id.  Use  the
283       first one that exists.
284
285
286       --match-server-version=false
287           Require server version to match client version
288
289
290       -n, --namespace=""
291           If present, the namespace scope for this CLI request
292
293
294       --request-timeout="0"
295           The  length  of  time  to  wait before giving up on a single server
296       request. Non-zero values should contain a corresponding time unit (e.g.
297       1s, 2m, 3h). A value of zero means don't timeout requests.
298
299
300       -s, --server=""
301           The address and port of the Kubernetes API server
302
303
304       --stderrthreshold=2
305           logs at or above this threshold go to stderr
306
307
308       --storage_driver_buffer_duration=0
309           Writes  in  the  storage driver will be buffered for this duration,
310       and committed to the non memory backends as a single transaction
311
312
313       --storage_driver_db="cadvisor"
314           database name
315
316
317       --storage_driver_host="localhost:8086"
318           database host:port
319
320
321       --storage_driver_password="root"
322           database password
323
324
325       --storage_driver_secure=false
326           use secure connection with database
327
328
329       --storage_driver_table="stats"
330           table name
331
332
333       --storage_driver_user="root"
334           database username
335
336
337       --token=""
338           Bearer token for authentication to the API server
339
340
341       --user=""
342           The name of the kubeconfig user to use
343
344
345       -v, --v=0
346           log level for V logs
347
348
349       --version=false
350           Print version information and quit
351
352
353       --vmodule=
354           comma-separated list of pattern=N settings for  file-filtered  log‐
355       ging
356
357
358

SEE ALSO

360       oc-adm-ca(1),
361
362
363

HISTORY

365       June 2016, Ported from the Kubernetes man-doc generator
366
367
368
369Openshift                  Openshift CLI User Manuals             OC ADM CA(1)
Impressum