Microk8s：生成身份验证证书

我正在尝试为 microk8s 集群生成另一个 kubeconfig。为此，我选择了证书方法，并使用以下脚本生成证书、创建证书签名请求并填充 kubeconfig 文件..

rm -rf ./certs_dir || true
mkdir ./certs_dir
sleep 5

openssl genrsa -out ./certs_dir/$USER_NAME.key 2048
openssl req -new -key ./certs_dir/$USER_NAME.key -out ./certs_dir/$USER_NAME.csr -subj "/CN=$USER_NAME"

CERT_S_REQ="
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: user-$USER_NAME-csr
spec:
  groups:
  - system:authenticated
  request: $(cat $USER_NAME.csr | base64)
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 864000000
  usages:
  - digital signature
  - key encipherment
  - client auth
"
export KUBECONFIG=../output/$NAME-kubeconfig.yaml

echo -e "$CERT_S_REQ" > ./certs_dir/user_csr.yaml
kubectl apply -f ./certs_dir/user_csr.yaml


kubectl get csr

kubectl certificate approve user-$USER_NAME-csr
sleep 10
kubectl get csr user-$USER_NAME-csr -o jsonpath='{.status.certificate}'  | base64 -D > ./certs_dir/$USER_NAME.crt


kubectl create rolebinding user-$USER_NAME --clusterrole=cluster-admin --user=$USER_NAME
APISERVER=$(kubectl config view --raw -o 'jsonpath={..cluster.server}')
unset KUBECONFIG
kubectl config set-credentials "$USER_NAME" \
  --client-certificate="./certs_dir/$USER_NAME.crt" \
  --client-key="./certs_dir/$USER_NAME.key"  \
  --kubeconfig=../output/$USER_NAME.yaml \
  --embed-certs=true

kubectl config set-cluster $CLUSTER_NAME --server=$APISERVER --kubeconfig=../output/$USER_NAME.yaml
kubectl config set-context default --user=$USER_NAME --cluster=$CLUSTER_NAME --kubeconfig=../output/$USER_NAME.yaml
kubectl config use-context default --kubeconfig=../output/$USER_NAME.yaml

一切似乎都正常，但是当尝试使用带有嵌入式证书的新 kubeconfig 文件时，它不起作用，每当尝试执行 kubectl 命令时都会失败并出现以下错误

error: tls: private key does not match public key

我错过了什么吗？

我使用的是 MAC 操作系统，通过 multipass 运行 microk8s 集群。

microk8s 集群启用了以下功能：入口、存储、dns、rbac 以及仪表板安装：https://raw.githubusercontent.com/kubernetes/dashboard/v2.3.1/aio/deploy/recommended.yaml