Skip to content

Clarify the signerName in the example as being the only valid signerName #1160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: mainline
Choose a base branch
from
Open

Clarify the signerName in the example as being the only valid signerName #1160

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions latest/ug/security/cert-signing.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ The Kubernetes Certificates API automates https://www.itu.int/rec/T-REC-X.509[X.

One of the built-in signers is `kubernetes.io/legacy-unknown`. The `v1beta1` API of CSR resource honored this legacy-unknown signer. However, the stable `v1` API of CSR doesn't allow the `signerName` to be set to `kubernetes.io/legacy-unknown`.

If you want to use Amazon EKS CA for generating certificates on your clusters, you must use a custom signer. To use the CSR `v1` API version and generate a new certificate, you must migrate any existing manifests and API clients. Existing certificates that were created with the existing `v1beta1` API are valid and function until the certificate expires. This includes the following:
If you want to use Amazon EKS CA for generating certificates on your clusters, you must use a custom signer. Amazon EKS supports the custom signer name `beta.eks.amazonaws.com/app-serving` to generate certificates. To use the CSR `v1` API version and generate a new certificate, you must migrate any existing manifests and API clients. Existing certificates that were created with the existing `v1beta1` API are valid and function until the certificate expires. This includes the following:

* Trust distribution: None. There's no standard trust or distribution for this signer in a Kubernetes cluster.
* Permitted subjects: Any
Expand All @@ -29,7 +29,7 @@ NOTE: Client certificate signing is not supported.
[#csr-example]
== Example CSR generation with signerName

These steps shows how to generate a serving certificate for DNS name `myserver.default.svc` using `signerName: beta.eks.amazonaws.com/app-serving`. Use this as a guide for your own environment.
These steps shows how to generate a serving certificate for DNS name `myserver.default.svc`. This example shows the Amazon EKS supported `signerName: beta.eks.amazonaws.com/app-serving`. Use this as a guide for your own environment.

. Run the `openssl genrsa -out myserver.key 2048` command to generate an RSA private key.
+
Expand All @@ -50,7 +50,7 @@ openssl req -new -key myserver.key -out myserver.csr -subj "/CN=myserver.default
base_64=$(cat myserver.csr | base64 -w 0 | tr -d "
")
----
. Run the following command to create a file named `mycsr.yaml`. In the following example, `beta.eks.amazonaws.com/app-serving` is the `signerName`.
. Run the following command to create a file named `mycsr.yaml`. Note the use of `beta.eks.amazonaws.com/app-serving` for the `signerName` in this example.
+
[source,yaml,subs="verbatim,attributes"]
----
Expand Down