By default, Konvoy creates a self-signed internal Certificate Authority (CA) for the Kubernetes Control Plane. This CA is used to create certificates for various Kubernetes components such as Etcd and the Api Sever.
Custom Internal Certificate Authority
You can provide your own CA to be used internally. Currently, we do not support using an external CA, such as LetsEncrypt, for the Kubernetes Control Plane.
Providing a Custom Internal Certificate Authority requires a:
- CA Certificate (in PEM-format) -
- CA Key (unencrypted RSA private key) -
Place the two files as
ca.key in the
$(pwd)/extras/pki directory before creating the cluster.
konvoy up will use your CA.
You can verify your certificate with the following commands with
openssl s_client -showcerts -connect "your-api-server-host-from-admin.conf:6443" </dev/null 2>/dev/null|openssl x509 -outform PEM >apiserver.crt openssl verify -CAfile extras/pki/ca.crt apiserver.crt # output: # apiserver.crt: OK