Testing this on minikube with the Docker driver.
Made private key and csr.
$ openssl genrsa -out myuser.key 2048
Generating RSA private key, 2048 bit long modulus
...........................+++
.......+++
e is 65537 (0x10001)
$ openssl req -new -key myuser.key -out myuser.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:California
Locality Name (eg, city) []:Los Angeles
Organization Name (eg, company) []:Company Org
Organizational Unit Name (eg, section) []:Company Org Unit
Common Name (eg, fully qualified host name) []:*.cluster.local
Email Address []:bob@noreply.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
$ ls -lah
total 16
drwxr-xr-x 4 pilot staff 128B Jul 20 18:31 .
drwxr-xr-x 43 pilot staff 1.3K Jul 20 18:29 ..
-rw-r--r-- 1 pilot staff 1.1K Jul 20 18:31 myuser.csr
-rw-r--r-- 1 pilot staff 1.6K Jul 20 18:30 myuser.key
Now give the cluster my csr. I'm using bash and being lazy with the spec.request value.
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: myuser
spec:
groups:
- system:authenticated
request: $(cat myuser.csr | base64 | tr -d "\n")
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF
certificatesigningrequest.certificates.k8s.io/myuser created
Get the existing CSRs.
$ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
csr-x2fms 7m10s kubernetes.io/kube-apiserver-client-kubelet system:node:minikube Approved,Issued
myuser 19s kubernetes.io/kube-apiserver-client minikube-user Pending
Approve myuser.
$ kubectl certificate approve myuser
certificatesigningrequest.certificates.k8s.io/myuser approved
$ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
csr-x2fms 8m4s kubernetes.io/kube-apiserver-client-kubelet system:node:minikube Approved,Issued
myuser 73s kubernetes.io/kube-apiserver-client minikube-user Approved,Issued
Get the contents.
$ kubectl get csr myuser -o jsonpath='{.status.certificate}'| base64 -d
-----BEGIN CERTIFICATE-----
MIIDajCCAlKgAwIBAgIRAK6r4WqVPxBa4eQqavPhGuYwDQYJKoZIhvcNAQELBQAw
FTETMBEGA1UEAxMKbWluaWt1YmVDQTAeFw0yMTA3MjAyMzMwNTZaFw0yMjA3MjAy
MzMwNTZaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIG
A1UEBxMLTG9zIEFuZ2VsZXMxFDASBgNVBAoTC0NvbXBhbnkgT3JnMRkwFwYDVQQL
ExBDb21wYW55IE9yZyBVbml0MRgwFgYDVQQDDA8qLmNsdXN0ZXIubG9jYWwwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1+NF6mJ8GmBtSseM4ZytiQFqf
Ob9jRWjgLfhtwcQ2K5ULbm/L6tsc4p5wqjLxGFMYdlSqfbZ+SJzOuHux01RgGskV
UF3EbQik7kz9dyLOLxE2Svd4Y3mkek+eUB0UeDBKLljUP4y35Xck/0Fvk0ZlfFE2
uh2oq/QzZW6JxlkO5R90DHVn1CAXqy3S04ZPvUsFJKPrmxywB+VHvXYEwaHmanBP
ZG/dGon6bxSisyDY3oGRSEImH4i06czRtHx1jWdmaMkwCaFdBnbPIK7dzobobXgy
+Z2KqOpm6u5L02hOgYgPq48U1tIVtYcSIeLvDg9EAZrdulmrkTsi37qF6pMDAgMB
AAGjRjBEMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0j
BBgwFoAU1xCYw6ujIt+4DKQ+GgPex4NpsjIwDQYJKoZIhvcNAQELBQADggEBAC4c
/egEOrFqT/aMxpHuBMFLLa2KBH8EqLlQINW9RZilI4L2PoPhbslfN0RvKyOSdX0Q
nR7G47n56A7HARWXLOUhZJTmMO4gLBoAg1oIc8K/dE2OOUZWUWB+u8ShVRkELF5m
r9a24Rp+D29tjSbcHekYk/kPkOEv1snKJPDhBYBnEO4mW8J8ttxt2BKfNtINlIdD
GDcu9rGZ2r3HH9nCuJDeFU3LFPTY2r9eISedaSee3bBDcE26QS7fy6++BYOUIVGB
YY1J1DDUb4OcJ3AgWRRNX1hAY7O8vzBk+2WAO9+SdQpBKoKVHNR9vlY7G+w4e5Lx
m2Xw/OdojU12XdY6HKc=
-----END CERTIFICATE-----