github.com/jlmeeker/kismatic@v1.10.1-0.20180612190640-57f9005a1f1a/docs/proposals/certs-cli.md (about)

     1  # Certificates CLI
     2  
     3  Status: Proposal
     4  
     5  Certificates are a requirement for running secure Kubernetes clusters. In a cluster bootstrapped by kismatic, all component endpoints are secured using TLS. Furthermore, certificates are also used for user authentication when there is no other authentication mechanism configured.
     6  
     7  In order to facilitate the generation and management of certificates, a new command in the kismatic CLI is proposed.
     8  
     9  ## Use Cases
    10  * As an operator, I want to grant cluster access to a new user by generating a client certificate
    11  * As an operator, I want to grant cluster access to an external system by generating a client certificate
    12  
    13  # Design
    14  
    15  The following CLI commands are proposed for introduction to the `kismatic` binary:
    16  
    17  ## Certificate Generation
    18  A generic, "swiss-army" style command is proposed for generating certificates:
    19  
    20  ```
    21  kismatic certificates generate <name> [options]
    22  ```
    23  
    24  Output: Generated key and certificate is placed in the generated directory. Key's filename is `<name>-key.pem`, and certificate's filename is `<name>.pem`.
    25  
    26  Pre-conditions:
    27  * CA is in the generated directory
    28  
    29  Options:
    30  * `--common-name`: Override the common name. If blank, use `<name>`.
    31  * `--validity-period`: Specify the number of days this certificate should be valid for. Expiration date will be calculated relative to the machine's clock. If not specified, the validity period will be 365 days.
    32  * `--subj-alt-names`: Comma-separated list of names that should be included in the certificate's subject alternative names field.
    33  * `--organizations`: Comma-separated list of names that should be included in the certificate's organization field.
    34  * `--overwrite`: Overwrite existing certificate if it already exists in the target directory.
    35  
    36  Validity Period:
    37  * Kismatic will print a warning if the chosen validity period is longer than the recommended 825 days (https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/)
    38  
    39  # Other considerations
    40  * Ensure that our certificate validation code allows for custom SANs and organizations. I belive this
    41  is already the case, but we should verify.