From cfa135eff5deb7072345e45eb3a93300d48f4d85 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=8C=AF=E5=AE=87?= <>
Date: Mon, 13 Jan 2025 17:48:40 +0800
Subject: [PATCH] feat(k8s): update OIDC username claim and add self-signed
 issuer for Microsoft Entra ID
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 孙振宇 <>
---
 .../group_vars/k8s_cluster/k8s-cluster.yml    |  4 ++--
 .../microsoft-entra-id-selfsigned.yaml        | 22 +++++++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 cluster/manifests/freeleaps-controls-system/cert-manager/microsoft-entra-id-selfsigned.yaml

diff --git a/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml b/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml
index 630b6135..968eae41 100644
--- a/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml
@@ -49,8 +49,8 @@ kube_oidc_auth: true
 kube_oidc_url: https://login.microsoftonline.com/cf151ee8-5c2c-4fe7-a1c4-809ba43c9f24/v2.0
 kube_oidc_client_id: 7cd1df19-24ea-46d7-acd3-5336283139e0
 ## Optional settings for OIDC
-kube_oidc_ca_file: "{{ kube_cert_dir }}/ca.crt"
-kube_oidc_username_claim: sub
+# kube_oidc_ca_file: "{{ kube_cert_dir }}/ca.crt"
+kube_oidc_username_claim: upn
 kube_oidc_username_prefix: 'mathmast:'
 kube_oidc_groups_claim: roles
 kube_oidc_groups_prefix: 'mathmast:'
diff --git a/cluster/manifests/freeleaps-controls-system/cert-manager/microsoft-entra-id-selfsigned.yaml b/cluster/manifests/freeleaps-controls-system/cert-manager/microsoft-entra-id-selfsigned.yaml
new file mode 100644
index 00000000..15b1201a
--- /dev/null
+++ b/cluster/manifests/freeleaps-controls-system/cert-manager/microsoft-entra-id-selfsigned.yaml
@@ -0,0 +1,22 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: microsoft-entra-id-selfsigned
+  namespace: freeleaps-controls-system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: microsoft-entra-id-selfsigned
+  namespace: freeleaps-controls-system
+spec:
+  dnsNames:
+  - login.microsoftonline.com
+  - 4.155.160.32
+  secretName: microsoft-entra-id-selfsigned
+  issuerRef:
+    name: microsoft-entra-id-selfsigned
+    kind: Issuer
+    group: cert-manager.io
\ No newline at end of file