From 18be500a61bff46e4636918850e77e7d7238a6b8 Mon Sep 17 00:00:00 2001 From: a11e-ch Date: Wed, 5 Nov 2025 20:55:31 +0000 Subject: [PATCH] Clarify the signerName in the example as being the only valid signerName I had used this example, but it was not clear to me that the `beta.eks.amazonaws.com/app-serving` value for `signerName` was required in order for EKS to sign my certificates, and I had used my own custom signer name instead. This PR adds some suggestions for clarifying the required value of `signerName` to have EKS sign any certificates. --- latest/ug/security/cert-signing.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/security/cert-signing.adoc b/latest/ug/security/cert-signing.adoc index 744d30da..076f67fc 100644 --- a/latest/ug/security/cert-signing.adoc +++ b/latest/ug/security/cert-signing.adoc @@ -14,7 +14,7 @@ The Kubernetes Certificates API automates https://www.itu.int/rec/T-REC-X.509[X. One of the built-in signers is `kubernetes.io/legacy-unknown`. The `v1beta1` API of CSR resource honored this legacy-unknown signer. However, the stable `v1` API of CSR doesn't allow the `signerName` to be set to `kubernetes.io/legacy-unknown`. -If you want to use Amazon EKS CA for generating certificates on your clusters, you must use a custom signer. To use the CSR `v1` API version and generate a new certificate, you must migrate any existing manifests and API clients. Existing certificates that were created with the existing `v1beta1` API are valid and function until the certificate expires. This includes the following: +If you want to use Amazon EKS CA for generating certificates on your clusters, you must use a custom signer. Amazon EKS supports the custom signer name `beta.eks.amazonaws.com/app-serving` to generate certificates. To use the CSR `v1` API version and generate a new certificate, you must migrate any existing manifests and API clients. Existing certificates that were created with the existing `v1beta1` API are valid and function until the certificate expires. This includes the following: * Trust distribution: None. There's no standard trust or distribution for this signer in a Kubernetes cluster. * Permitted subjects: Any @@ -29,7 +29,7 @@ NOTE: Client certificate signing is not supported. [#csr-example] == Example CSR generation with signerName -These steps shows how to generate a serving certificate for DNS name `myserver.default.svc` using `signerName: beta.eks.amazonaws.com/app-serving`. Use this as a guide for your own environment. +These steps shows how to generate a serving certificate for DNS name `myserver.default.svc`. This example shows the Amazon EKS supported `signerName: beta.eks.amazonaws.com/app-serving`. Use this as a guide for your own environment. . Run the `openssl genrsa -out myserver.key 2048` command to generate an RSA private key. + @@ -50,7 +50,7 @@ openssl req -new -key myserver.key -out myserver.csr -subj "/CN=myserver.default base_64=$(cat myserver.csr | base64 -w 0 | tr -d " ") ---- -. Run the following command to create a file named `mycsr.yaml`. In the following example, `beta.eks.amazonaws.com/app-serving` is the `signerName`. +. Run the following command to create a file named `mycsr.yaml`. Note the use of `beta.eks.amazonaws.com/app-serving` for the `signerName` in this example. + [source,yaml,subs="verbatim,attributes"] ----