From b6e493e4636dd32e850c23c82326795c061093dd Mon Sep 17 00:00:00 2001
From: Kelsey Hightower <kelsey.hightower@gmail.com>
Date: Tue, 8 Apr 2025 07:30:28 -0700
Subject: [PATCH] generate kube-apiserver server certificate

---
 ca.conf                                         | 2 +-
 docs/08-bootstrapping-kubernetes-controllers.md | 3 ++-
 docs/10-configuring-kubectl.md                  | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/ca.conf b/ca.conf
index 8bfcaed..90e979e 100644
--- a/ca.conf
+++ b/ca.conf
@@ -174,7 +174,7 @@ req_extensions     = kube-api-server_req_extensions
 basicConstraints     = CA:FALSE
 extendedKeyUsage     = clientAuth, serverAuth
 keyUsage             = critical, digitalSignature, keyEncipherment
-nsCertType           = client
+nsCertType           = client, server
 nsComment            = "Kube API Server Certificate"
 subjectAltName       = @kube-api-server_alt_names
 subjectKeyIdentifier = hash
diff --git a/docs/08-bootstrapping-kubernetes-controllers.md b/docs/08-bootstrapping-kubernetes-controllers.md
index 28e5ca1..9840b5d 100644
--- a/docs/08-bootstrapping-kubernetes-controllers.md
+++ b/docs/08-bootstrapping-kubernetes-controllers.md
@@ -179,7 +179,8 @@ At this point the Kubernetes control plane is up and running. Run the following
 Make a HTTP request for the Kubernetes version info:
 
 ```bash
-curl -k https://server.kubernetes.local:6443/version
+curl --cacert ca.crt \
+  https://server.kubernetes.local:6443/version
 ```
 
 ```text
diff --git a/docs/10-configuring-kubectl.md b/docs/10-configuring-kubectl.md
index a81134c..26f0c5e 100644
--- a/docs/10-configuring-kubectl.md
+++ b/docs/10-configuring-kubectl.md
@@ -11,7 +11,7 @@ Each kubeconfig requires a Kubernetes API Server to connect to.
 You should be able to ping `server.kubernetes.local` based on the `/etc/hosts` DNS entry from a previous lab.
 
 ```bash
-curl -k \
+curl --cacert ca.crt \
   https://server.kubernetes.local:6443/version
 ```