1OC ADM CA(1) June 2016 OC ADM CA(1)
2
3
4
6 oc adm ca create-server-cert - Create a signed server certificate and
7 key
8
9
10
12 oc adm ca create-server-cert [OPTIONS]
13
14
15
17 Create a key and server certificate
18
19
20 Create a key and server certificate valid for the specified hostnames,
21 signed by the specified CA. These are useful for securing infrastruc‐
22 ture components such as the router, authentication server, etc.
23
24
25 Example: Creating a secure router certificate.
26
27
28 CA=openshift.local.config/master
29 oc adm ca create-server-cert --signer-cert=$CA/ca.crt \
30 --signer-key=$CA/ca.key --signer-serial=$CA/ca.serial.txt \
31 --hostnames='*.cloudapps.example.com' \
32 --cert=cloudapps.crt --key=cloudapps.key
33 cat cloudapps.crt cloudapps.key $CA/ca.crt > cloudapps.router.pem
34
35
36
38 --cert=""
39 The certificate file. Choose a name that indicates what the service
40 is.
41
42
43 --expire-days=730
44 Validity of the certificate in days (defaults to 2 years). WARNING:
45 extending this above default value is highly discouraged.
46
47
48 --hostnames=[]
49 Every hostname or IP you want server certs to be valid for. Comma
50 delimited list
51
52
53 --key=""
54 The key file. Choose a name that indicates what the service is.
55
56
57 --overwrite=true
58 Overwrite existing cert files if found. If false, any existing
59 file will be left as-is.
60
61
62 --signer-cert="openshift.local.config/master/ca.crt"
63 The certificate file.
64
65
66 --signer-key="openshift.local.config/master/ca.key"
67 The key file.
68
69
70 --signer-serial="openshift.local.config/master/ca.serial.txt"
71 The serial file that keeps track of how many certs have been
72 signed.
73
74
75
77 --allow_verification_with_non_compliant_keys=false
78 Allow a SignatureVerifier to use keys which are technically
79 non-compliant with RFC6962.
80
81
82 --alsologtostderr=false
83 log to standard error as well as files
84
85
86 --application_metrics_count_limit=100
87 Max number of application metrics to store (per container)
88
89
90 --as=""
91 Username to impersonate for the operation
92
93
94 --as-group=[]
95 Group to impersonate for the operation, this flag can be repeated
96 to specify multiple groups.
97
98
99 --azure-container-registry-config=""
100 Path to the file containing Azure container registry configuration
101 information.
102
103
104 --boot_id_file="/proc/sys/kernel/random/boot_id"
105 Comma-separated list of files to check for boot-id. Use the first
106 one that exists.
107
108
109 --cache-dir="/builddir/.kube/http-cache"
110 Default HTTP cache directory
111
112
113 --certificate-authority=""
114 Path to a cert file for the certificate authority
115
116
117 --client-certificate=""
118 Path to a client certificate file for TLS
119
120
121 --client-key=""
122 Path to a client key file for TLS
123
124
125 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
126 CIDRs opened in GCE firewall for LB traffic proxy health checks
127
128
129 --cluster=""
130 The name of the kubeconfig cluster to use
131
132
133 --container_hints="/etc/cadvisor/container_hints.json"
134 location of the container hints file
135
136
137 --containerd="unix:///var/run/containerd.sock"
138 containerd endpoint
139
140
141 --context=""
142 The name of the kubeconfig context to use
143
144
145 --default-not-ready-toleration-seconds=300
146 Indicates the tolerationSeconds of the toleration for
147 notReady:NoExecute that is added by default to every pod that does not
148 already have such a toleration.
149
150
151 --default-unreachable-toleration-seconds=300
152 Indicates the tolerationSeconds of the toleration for unreach‐
153 able:NoExecute that is added by default to every pod that does not
154 already have such a toleration.
155
156
157 --docker="unix:///var/run/docker.sock"
158 docker endpoint
159
160
161 --docker-tls=false
162 use TLS to connect to docker
163
164
165 --docker-tls-ca="ca.pem"
166 path to trusted CA
167
168
169 --docker-tls-cert="cert.pem"
170 path to client certificate
171
172
173 --docker-tls-key="key.pem"
174 path to private key
175
176
177 --docker_env_metadata_whitelist=""
178 a comma-separated list of environment variable keys that needs to
179 be collected for docker containers
180
181
182 --docker_only=false
183 Only report docker containers in addition to root stats
184
185
186 --docker_root="/var/lib/docker"
187 DEPRECATED: docker root is read from docker info (this is a fall‐
188 back, default: /var/lib/docker)
189
190
191 --enable_load_reader=false
192 Whether to enable cpu load reader
193
194
195 --event_storage_age_limit="default=24h"
196 Max length of time for which to store events (per type). Value is a
197 comma separated list of key values, where the keys are event types
198 (e.g.: creation, oom) or "default" and the value is a duration. Default
199 is applied to all non-specified event types
200
201
202 --event_storage_event_limit="default=100000"
203 Max number of events to store (per type). Value is a comma sepa‐
204 rated list of key values, where the keys are event types (e.g.: cre‐
205 ation, oom) or "default" and the value is an integer. Default is
206 applied to all non-specified event types
207
208
209 --global_housekeeping_interval=0
210 Interval between global housekeepings
211
212
213 --housekeeping_interval=0
214 Interval between container housekeepings
215
216
217 --httptest.serve=""
218 if non-empty, httptest.NewServer serves on this address and blocks
219
220
221 --insecure-skip-tls-verify=false
222 If true, the server's certificate will not be checked for validity.
223 This will make your HTTPS connections insecure
224
225
226 --kubeconfig=""
227 Path to the kubeconfig file to use for CLI requests.
228
229
230 --log-flush-frequency=0
231 Maximum number of seconds between log flushes
232
233
234 --log_backtrace_at=:0
235 when logging hits line file:N, emit a stack trace
236
237
238 --log_cadvisor_usage=false
239 Whether to log the usage of the cAdvisor container
240
241
242 --log_dir=""
243 If non-empty, write log files in this directory
244
245
246 --logtostderr=true
247 log to standard error instead of files
248
249
250 --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
251 Comma-separated list of files to check for machine-id. Use the
252 first one that exists.
253
254
255 --match-server-version=false
256 Require server version to match client version
257
258
259 -n, --namespace=""
260 If present, the namespace scope for this CLI request
261
262
263 --request-timeout="0"
264 The length of time to wait before giving up on a single server
265 request. Non-zero values should contain a corresponding time unit (e.g.
266 1s, 2m, 3h). A value of zero means don't timeout requests.
267
268
269 -s, --server=""
270 The address and port of the Kubernetes API server
271
272
273 --stderrthreshold=2
274 logs at or above this threshold go to stderr
275
276
277 --storage_driver_buffer_duration=0
278 Writes in the storage driver will be buffered for this duration,
279 and committed to the non memory backends as a single transaction
280
281
282 --storage_driver_db="cadvisor"
283 database name
284
285
286 --storage_driver_host="localhost:8086"
287 database host:port
288
289
290 --storage_driver_password="root"
291 database password
292
293
294 --storage_driver_secure=false
295 use secure connection with database
296
297
298 --storage_driver_table="stats"
299 table name
300
301
302 --storage_driver_user="root"
303 database username
304
305
306 --token=""
307 Bearer token for authentication to the API server
308
309
310 --user=""
311 The name of the kubeconfig user to use
312
313
314 -v, --v=0
315 log level for V logs
316
317
318 --version=false
319 Print version information and quit
320
321
322 --vmodule=
323 comma-separated list of pattern=N settings for file-filtered log‐
324 ging
325
326
327
329 oc-adm-ca(1),
330
331
332
334 June 2016, Ported from the Kubernetes man-doc generator
335
336
337
338Openshift Openshift CLI User Manuals OC ADM CA(1)