https://devopstales.github.io/kubernetes/k8s-pinniped/

[utterances-bot]

Kubernetes Single Sign-on with Pinniped OpenID Connect - devopstales

https://devopstales.github.io/kubernetes/k8s-pinniped/

[saashqdev]

This is exactly what I was looking for. Simple and just works. Question: I have a Letsencrypt wildcard cert. Can you clarify where/what exactly k8s.pem is? Is it the fullchain1.pen from LE or is it the cert from the K8s ~/.kube/config file? Cheers, Dave

[saashqdev]

Sorry, one more comment: When I try to gen the pinniped-kubeconfig file I get:
osboxes@osboxes:~/Downloads/hetzner/kc/kubeapps/pinniped$ pinniped-cli get kubeconfig --oidc-ca-bundle /home/osboxes/certs/cert1.pem --output pinniped-kubeconfig
Sat, 07 Dec 2024 20:42:34 EST features/envvar.go:172 Feature gate default state {"feature": "WatchListClient", "enabled": false}
Sat, 07 Dec 2024 20:42:34 EST features/envvar.go:172 Feature gate default state {"feature": "InformerResourceVersion", "enabled": false}
Sat, 07 Dec 2024 20:42:35 EST cmd/kubeconfig.go:612 discovered CredentialIssuer {"name": "pinniped-concierge-config"}
Sat, 07 Dec 2024 20:42:35 EST cmd/kubeconfig.go:482 found CredentialIssuer strategy {"type": "KubeClusterSigningCertificate", "status": "Error", "reason": "CouldNotFetchKey", "message": "could not find a healthy kube-controller-manager pod (0 candidates): note that this error is the expected behavior for some cluster types, including most cloud provider clusters (e.g. GKE, AKS, EKS)"}
Sat, 07 Dec 2024 20:42:35 EST cmd/kubeconfig.go:482 found CredentialIssuer strategy {"type": "ImpersonationProxy", "status": "Error", "reason": "Disabled", "message": "automatically determined that impersonation proxy should be disabled"}
Error: could not autodiscover --concierge-mode