生成 oidc-proxy 的证书

使用场景：

如果无法获取到 Kubernetes 的 ca 证书，可以通过以下方式颁发 kube-oidc-proxy 的证书

前提条件：

OpenSSL tools Kubernetes cluster

具体步骤

save the openssl.cnf

[ req ] distinguished_name = dn [ dn ] CN = kube-oidc-proxy [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.2 = kube-oidc-proxy DNS.3 = kube-oidc-proxy.addon-system DNS.4 = kube-oidc-proxy.addon-system.svc IP.1 = 172.22.99.227 # need update

generate the private key of oidc-proxy

openssl genrsa -out server.key 2048

generate the sever.csr of oidc-proxy

openssl req -new \
-sha256 \ -key server.key \ -subj "/CN=kube-oidc-proxy" \ -reqexts req_ext \ -config openssl.cnf \ -out server.csr

generate the base64 content of server.csr

cat server.csr | base64 | tr -d "\n"

create certificateSigningRequest in kubernetes cluster for oidc-proxy

the request value need to replace the output content generated by Step 4

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: myuser
spec:
  request: <need replace by the content generated by step 4>
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
EOF

6 approval the certificatesigningRequest

kubectl certificate approve myuser

get the certifcate of oidc-proxy issuer by kubernetes cluster

kubectl get csr myuser -oyaml | grep certificate: | awk '{print $2}' |base64 -d > ./server.cert

after the step above, you get the server.key and server.cert and can rename the server.key and server.cert that you want. you can create secret for oidc-proxy by command:

kubectl create secret

生成 oidc-proxy 的证书

使用场景：​

前提条件：​

具体步骤​

使用场景：

前提条件：

具体步骤