生成 oidc-proxy 的证书
使用场景:
如果无法获取到 Kubernetes 的 ca 证书,可以通过以下方式颁发 kube-oidc-proxy 的证书
前提条件:
OpenSSL tools Kubernetes cluster
具体步骤
- save the openssl.cnf
[ req ] distinguished_name = dn [ dn ] CN = kube-oidc-proxy [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.2 = kube-oidc-proxy DNS.3 = kube-oidc-proxy.addon-system DNS.4 = kube-oidc-proxy.addon-system.svc IP.1 = 172.22.99.227 # need update
- generate the private key of oidc-proxy
openssl genrsa -out server.key 2048
- generate the sever.csr of oidc-proxy
openssl req -new \
-sha256 \
-key server.key \
-subj "/CN=kube-oidc-proxy" \
-reqexts req_ext \
-config openssl.cnf \
-out server.csr
- generate the base64 content of server.csr
cat server.csr | base64 | tr -d "\n"
- create certificateSigningRequest in kubernetes cluster for oidc-proxy
the request value need to replace the output content generated by Step 4
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: myuser
spec:
request: <need replace by the content generated by step 4>
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF
6 approval the certificatesigningRequest
kubectl certificate approve myuser
- get the certifcate of oidc-proxy issuer by kubernetes cluster
kubectl get csr myuser -oyaml | grep certificate: | awk '{print $2}' |base64 -d > ./server.cert
- after the step above, you get the server.key and server.cert and can rename the server.key and server.cert that you want. you can create secret for oidc-proxy by command:
kubectl create secret