feat(k8s): update OIDC username claim and add self-signed issuer for Microsoft Entra ID

Signed-off-by: 孙振宇 <>
2025-01-13 17:48:40 +08:00 · 2025-01-13 17:48:40 +08:00 · cfa135eff5
commit cfa135eff5
parent bfc2577e0d
2 changed files with 24 additions and 2 deletions
--- a/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml
@ -49,8 +49,8 @@ kube_oidc_auth: true
 kube_oidc_url: https://login.microsoftonline.com/cf151ee8-5c2c-4fe7-a1c4-809ba43c9f24/v2.0
 kube_oidc_client_id: 7cd1df19-24ea-46d7-acd3-5336283139e0
 ## Optional settings for OIDC
-kube_oidc_ca_file: "{{ kube_cert_dir }}/ca.crt"
-kube_oidc_username_claim: sub
+# kube_oidc_ca_file: "{{ kube_cert_dir }}/ca.crt"
+kube_oidc_username_claim: upn
 kube_oidc_username_prefix: 'mathmast:'
 kube_oidc_groups_claim: roles
 kube_oidc_groups_prefix: 'mathmast:'
--- a/cluster/manifests/freeleaps-controls-system/cert-manager/microsoft-entra-id-selfsigned.yaml
+++ b/cluster/manifests/freeleaps-controls-system/cert-manager/microsoft-entra-id-selfsigned.yaml
@ -0,0 +1,22 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: microsoft-entra-id-selfsigned
+  namespace: freeleaps-controls-system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: microsoft-entra-id-selfsigned
+  namespace: freeleaps-controls-system
+spec:
+  dnsNames:
+  - login.microsoftonline.com
+  - 4.155.160.32
+  secretName: microsoft-entra-id-selfsigned
+  issuerRef:
+    name: microsoft-entra-id-selfsigned
+    kind: Issuer
+    group: cert-manager.io