跳到主要内容

生成 oidc-proxy 的证书

使用场景:

如果无法获取到 Kubernetes 的 ca 证书,可以通过以下方式颁发 kube-oidc-proxy 的证书

前提条件:

OpenSSL tools Kubernetes cluster

具体步骤

  1. save the openssl.cnf

[ req ] distinguished_name = dn [ dn ] CN = kube-oidc-proxy [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.2 = kube-oidc-proxy DNS.3 = kube-oidc-proxy.addon-system DNS.4 = kube-oidc-proxy.addon-system.svc IP.1 = 172.22.99.227 # need update

  1. generate the private key of oidc-proxy

openssl genrsa -out server.key 2048

  1. generate the sever.csr of oidc-proxy

openssl req -new \
-sha256 \ -key server.key \ -subj "/CN=kube-oidc-proxy" \ -reqexts req_ext \ -config openssl.cnf \ -out server.csr

  1. generate the base64 content of server.csr

cat server.csr | base64 | tr -d "\n"

  1. create certificateSigningRequest in kubernetes cluster for oidc-proxy

the request value need to replace the output content generated by Step 4

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: myuser
spec:
request: <need replace by the content generated by step 4>
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF

6 approval the certificatesigningRequest

kubectl certificate approve myuser

  1. get the certifcate of oidc-proxy issuer by kubernetes cluster

kubectl get csr myuser -oyaml | grep certificate: | awk '{print $2}' |base64 -d > ./server.cert

  1. after the step above, you get the server.key and server.cert and can rename the server.key and server.cert that you want. you can create secret for oidc-proxy by command:

kubectl create secret