Merge pull request #1620 from dixudx/keystone-ca-cert

add doc for new flag experimental-keystone-ca-file
kubernetes · Nov 28, 2016 · c180ba1 · c180ba1
2 parents e6f9f1f + b8d8c1b
commit c180ba1
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/docs/admin/authentication.md b/docs/admin/authentication.md
@@ -367,6 +367,13 @@ option to the API server during startup. The plugin is implemented in
 `plugin/pkg/auth/authenticator/password/keystone/keystone.go` and currently uses
 basic auth to verify used by username and password.
 
+If you have configured self-signed certificates for the Keystone server,
+you may need to set the `--experimental-keystone-ca-file=SOMEFILE` option when
+starting the Kubernetes API server. If you set the option, the Keystone
+server's certificate is verified by one of the authorities in the
+`experimental-keystone-ca-file`. Otherwise, the certificate is verified by
+the host's root Certificate Authority.
+
 For details on how to use keystone to manage projects and users, refer to the
 [Keystone documentation](http://docs.openstack.org/developer/keystone/). Please
 note that this plugin is still experimental, under active development, and likely