You can use the gen-certs-helper.sh script to generate the certificates. Run the script on the operator node and enter the options required for your environment.

The --cert-dir option sets the location where the certificates are to be saved.

The --nodes option must be set to the name of the Kubernetes service, as shown:

--nodes externalip-validation-webhook-service.externalip-validation-system.svc,externalip-validation-webhook-service.externalip-validation-system.svc.cluster.local

Use the --one-cert option to save the certificates for the two service names to a single file.

cd /etc/olcne
sudo ./gen-certs-helper.sh \
--cert-dir /etc/olcne/configs/certificates/restrict_external_ip/production/ \
--cert-request-organization-unit "My Company Unit" \
--cert-request-organization "My Company" \
--cert-request-locality "My Town" \
--cert-request-state "My State" \
--cert-request-country US \
--cert-request-common-name cloud.example.com \
--nodes externalip-validation-webhook-service.externalip-validation-system.svc,externalip-validation-webhook-service.externalip-validation-system.svc.cluster.local \
--one-cert

You can use the same CA certificate and private key you used to generate the Kubernetes node certificates by using the --byo-ca-cert and --byo-ca-key options. For example, add the following lines to the command:

--byo-ca-cert /path/configs/certificates/production/ca.cert \
--byo-ca-key /path/configs/certificates/production/ca.key

Make sure the permissions of the output directory where the certificates are located can be read by the user on the operator node that you intend to use use to run the olcnectl commands to install Kubernetes. In this example the opc user is to be used on the operator node, so ownership of the directory is set to the opc user:

sudo chown -R opc:opc /etc/olcne/configs/certificates/restrict_external_ip/