1OC ADM(1)                          June 2016                         OC ADM(1)
2
3
4

NAME

6       oc adm create-master-certs -
7
8
9

SYNOPSIS

11       oc adm create-master-certs [OPTIONS]
12
13
14

DESCRIPTION

16       Create keys and certificates for a master
17
18
19       This  command  creates keys and certs necessary to run a secure master.
20       It also creates keys, certificates,  and  configuration  necessary  for
21       most  related infrastructure components that are clients to the master.
22       See the related "create-node-config" command  for  generating  per-node
23       config.
24
25
26       All  files  are  expected  or  created  in standard locations under the
27       cert-dir.
28
29
30       openshift.local.config/master/
31             ca.{crt,key,serial.txt}
32             master.server.{crt,key}
33             admin.{crt,key,kubeconfig}
34             ...
35
36
37       Note that the certificate authority (CA aka "signer")  generated  auto‐
38       matically  is self-signed. In production usage, administrators are more
39       likely to want to generate signed certificates separately  rather  than
40       rely on a generated CA. Alternatively, start with an existing signed CA
41       and have this command use it to generate valid certificates.
42
43
44       This command would usually only be used once at  installation.  If  you
45       need  to  regenerate  the master server cert, DO NOT use --overwrite as
46       this would recreate ALL certs including the CA cert,  invalidating  any
47       existing infrastructure or client configuration. Instead, delete/rename
48       the existing server cert and run the command to fill it in:
49
50
51       mv openshift.local.config/master/master.server.crt{,.old}
52         oc adm create-master-certs --cert-dir=... \
53                 --master= ⟨https://internal.master.fqdn:8443⟩ \
54                 --public-master= ⟨https://external.master.fqdn:8443⟩ \
55                 --hostnames=external.master.fqdn,internal.master.fqdn,local‐
56       host,127.0.0.1,172.17.42.1,kubernetes.default.local
57
58
59       Alternatively,  use  the  related  "ca  create-server-cert"  command to
60       explicitly create a certificate.
61
62
63       Regardless of --overwrite, the master server key/cert will  be  updated
64       if  --hostnames  does  not match the current certificate. Regardless of
65       --overwrite, .kubeconfig files will be updated every time this  command
66       is  run,  so  always specify --master (and if needed, --public-master).
67       This is designed to  match  the  behavior  of  "start"  which  rewrites
68       certs/confs for certain configuration changes.
69
70
71

OPTIONS

73       --cert-dir="openshift.local.config/master"
74           The certificate data directory.
75
76
77       --expire-days=730
78           Validity  of  the certificates in days (defaults to 2 years). WARN‐
79       ING: extending this above default value is highly discouraged.
80
81
82       --hostnames=[]
83           Every hostname  or  IP  that  server  certs  should  be  valid  for
84       (comma-delimited list)
85
86
87       --master=" ⟨https://localhost:8443"⟩
88           The API server's URL.
89
90
91       --overwrite=false
92           Overwrite  all  existing  cert/key/config  files (WARNING: includes
93       signer/CA)
94
95
96       --public-master=""
97           The API public facing server's URL (if applicable).
98
99
100       --signer-expire-days=1825
101           Validity of the CA certificate in days (defaults to 5 years). WARN‐
102       ING: extending this above default value is highly discouraged.
103
104
105       --signer-name="openshift-signer@<current_timestamp>"
106           The name to use for the generated signer.
107
108
109

OPTIONS INHERITED FROM PARENT COMMANDS

111       --allow_verification_with_non_compliant_keys=false
112           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
113       non-compliant with RFC6962.
114
115
116       --alsologtostderr=false
117           log to standard error as well as files
118
119
120       --application_metrics_count_limit=100
121           Max number of application metrics to store (per container)
122
123
124       --as=""
125           Username to impersonate for the operation
126
127
128       --as-group=[]
129           Group to impersonate for the operation, this flag can  be  repeated
130       to specify multiple groups.
131
132
133       --azure-container-registry-config=""
134           Path  to the file containing Azure container registry configuration
135       information.
136
137
138       --boot_id_file="/proc/sys/kernel/random/boot_id"
139           Comma-separated list of files to check for boot-id. Use  the  first
140       one that exists.
141
142
143       --cache-dir="/builddir/.kube/http-cache"
144           Default HTTP cache directory
145
146
147       --certificate-authority=""
148           Path to a cert file for the certificate authority
149
150
151       --client-certificate=""
152           Path to a client certificate file for TLS
153
154
155       --client-key=""
156           Path to a client key file for TLS
157
158
159       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
160           CIDRs opened in GCE firewall for LB traffic proxy  health checks
161
162
163       --cluster=""
164           The name of the kubeconfig cluster to use
165
166
167       --container_hints="/etc/cadvisor/container_hints.json"
168           location of the container hints file
169
170
171       --containerd="unix:///var/run/containerd.sock"
172           containerd endpoint
173
174
175       --context=""
176           The name of the kubeconfig context to use
177
178
179       --default-not-ready-toleration-seconds=300
180           Indicates   the   tolerationSeconds   of   the    toleration    for
181       notReady:NoExecute  that is added by default to every pod that does not
182       already have such a toleration.
183
184
185       --default-unreachable-toleration-seconds=300
186           Indicates the tolerationSeconds  of  the  toleration  for  unreach‐
187       able:NoExecute  that  is  added  by  default to every pod that does not
188       already have such a toleration.
189
190
191       --docker="unix:///var/run/docker.sock"
192           docker endpoint
193
194
195       --docker-tls=false
196           use TLS to connect to docker
197
198
199       --docker-tls-ca="ca.pem"
200           path to trusted CA
201
202
203       --docker-tls-cert="cert.pem"
204           path to client certificate
205
206
207       --docker-tls-key="key.pem"
208           path to private key
209
210
211       --docker_env_metadata_whitelist=""
212           a comma-separated list of environment variable keys that  needs  to
213       be collected for docker containers
214
215
216       --docker_only=false
217           Only report docker containers in addition to root stats
218
219
220       --docker_root="/var/lib/docker"
221           DEPRECATED:  docker  root is read from docker info (this is a fall‐
222       back, default: /var/lib/docker)
223
224
225       --enable_load_reader=false
226           Whether to enable cpu load reader
227
228
229       --event_storage_age_limit="default=24h"
230           Max length of time for which to store events (per type). Value is a
231       comma  separated  list  of  key  values, where the keys are event types
232       (e.g.: creation, oom) or "default" and the value is a duration. Default
233       is applied to all non-specified event types
234
235
236       --event_storage_event_limit="default=100000"
237           Max  number  of  events to store (per type). Value is a comma sepa‐
238       rated list of key values, where the keys are event  types  (e.g.:  cre‐
239       ation,  oom)  or  "default"  and  the  value  is an integer. Default is
240       applied to all non-specified event types
241
242
243       --global_housekeeping_interval=0
244           Interval between global housekeepings
245
246
247       --housekeeping_interval=0
248           Interval between container housekeepings
249
250
251       --insecure-skip-tls-verify=false
252           If true, the server's certificate will not be checked for validity.
253       This will make your HTTPS connections insecure
254
255
256       --kubeconfig=""
257           Path to the kubeconfig file to use for CLI requests.
258
259
260       --log-flush-frequency=0
261           Maximum number of seconds between log flushes
262
263
264       --log_backtrace_at=:0
265           when logging hits line file:N, emit a stack trace
266
267
268       --log_cadvisor_usage=false
269           Whether to log the usage of the cAdvisor container
270
271
272       --log_dir=""
273           If non-empty, write log files in this directory
274
275
276       --logtostderr=true
277           log to standard error instead of files
278
279
280       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
281           Comma-separated  list  of  files  to  check for machine-id. Use the
282       first one that exists.
283
284
285       --match-server-version=false
286           Require server version to match client version
287
288
289       -n, --namespace=""
290           If present, the namespace scope for this CLI request
291
292
293       --request-timeout="0"
294           The length of time to wait before giving  up  on  a  single  server
295       request. Non-zero values should contain a corresponding time unit (e.g.
296       1s, 2m, 3h). A value of zero means don't timeout requests.
297
298
299       -s, --server=""
300           The address and port of the Kubernetes API server
301
302
303       --stderrthreshold=2
304           logs at or above this threshold go to stderr
305
306
307       --storage_driver_buffer_duration=0
308           Writes in the storage driver will be buffered  for  this  duration,
309       and committed to the non memory backends as a single transaction
310
311
312       --storage_driver_db="cadvisor"
313           database name
314
315
316       --storage_driver_host="localhost:8086"
317           database host:port
318
319
320       --storage_driver_password="root"
321           database password
322
323
324       --storage_driver_secure=false
325           use secure connection with database
326
327
328       --storage_driver_table="stats"
329           table name
330
331
332       --storage_driver_user="root"
333           database username
334
335
336       --token=""
337           Bearer token for authentication to the API server
338
339
340       --user=""
341           The name of the kubeconfig user to use
342
343
344       -v, --v=0
345           log level for V logs
346
347
348       --version=false
349           Print version information and quit
350
351
352       --vmodule=
353           comma-separated  list  of pattern=N settings for file-filtered log‐
354       ging
355
356
357

SEE ALSO

359       oc-adm(1),
360
361
362

HISTORY

364       June 2016, Ported from the Kubernetes man-doc generator
365
366
367
368Openshift                  Openshift CLI User Manuals                OC ADM(1)
Impressum