Skip to content

Install using custom CA certificate#

k0s generates all needed certificates automatically in the <data-dir>/pki directory (/var/lib/k0s/pki, by default).

But sometimes there is a need to have the CA certificate in advance. To make it work, just put ca.key and ca.crt files to the <data-dir>/pki:

mkdir -p /var/lib/k0s/pki
cd /var/lib/k0s/pki
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt -subj "/CN=Custom CA"

Then you can install k0s as usual.

Pre-generated tokens#

It's possible to get join in advance without having a running cluster.

k0s token pre-shared --role worker --cert /var/lib/k0s/pki/ca.crt --url https://<controller-ip>:6443/

The command above generates a join token and a Secret. A Secret should be deployed to the cluster to authorize the token. For example, you can put the Secret under the manifest directory and it will be deployed automatically.