backport of commit 8250fba0e6967a6f058d4f0960a9e748441e4d7c (#22454)

Co-authored-by: Artur Faizullin <arthur.fayzullin@gmail.com>
2023-08-18 16:48:30 -04:00 · 2023-08-18 16:48:30 -04:00 · d9a3586dea
parent 6f2d433394
commit d9a3586dea
1 changed files with 16 additions and 12 deletions
--- a/website/content/docs/platform/k8s/helm/examples/standalone-tls.mdx
+++ b/website/content/docs/platform/k8s/helm/examples/standalone-tls.mdx
@ -64,19 +64,20 @@ e is 65537 (0x10001)
      extendedKeyUsage = serverAuth
      subjectAltName = @alt_names
      [alt_names]
-      DNS.1 = ${SERVICE}
-      DNS.2 = ${SERVICE}.${NAMESPACE}
-      DNS.3 = ${SERVICE}.${NAMESPACE}.svc
-      DNS.4 = ${SERVICE}.${NAMESPACE}.svc.cluster.local
+      DNS.1 = *.${SERVICE}
+      DNS.2 = *.${SERVICE}.${NAMESPACE}
+      DNS.3 = *.${SERVICE}.${NAMESPACE}.svc
+      DNS.4 = *.${SERVICE}.${NAMESPACE}.svc.cluster.local
      IP.1 = 127.0.0.1
      EOF
      ```

   2. Create a CSR.

-      ```shell-session
-      $ openssl req -new -key ${TMPDIR}/vault.key \
-          -subj "/O=system:nodes/CN=system:node:${SERVICE}.${NAMESPACE}.svc" \
+      ```bash
+      openssl req -new \
+                  -key ${TMPDIR}/vault.key \
+                  -subj "/CN=system:node:${SERVICE}.${NAMESPACE}.svc;/O=system:nodes" \
                  -out ${TMPDIR}/server.csr \
                  -config ${TMPDIR}/csr.conf
      ```
@ -94,9 +95,10 @@ e is 65537 (0x10001)
      metadata:
        name: ${CSR_NAME}
      spec:
+        signerName: kubernetes.io/kubelet-serving
        groups:
        - system:authenticated
-        request: $(cat ${TMPDIR}/server.csr | base64 | tr -d '\r\n')
+        request: $(base64 ${TMPDIR}/server.csr | tr -d '\n')
        signerName: kubernetes.io/kubelet-serving
        usages:
        - digital signature
@ -148,8 +150,10 @@ e is 65537 (0x10001)

 3. Retrieve Kubernetes CA.

-   ```shell-session
-   $ kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 -d > ${TMPDIR}/vault.ca
+   ```bash
+   kubectl get secret \
+     -o jsonpath="{.items[?(@.type==\"kubernetes.io/service-account-token\")].data['ca\.crt']}" \
+     | base64 --decode > ${TMPDIR}/vault.ca
   ```

 4. Create the namespace.