1. 技术文章
  2. Kubernetes doesnt create certificates

Kubernetes doesnt create certificates

假如想象 提交于 2021-01-29 09:00:36

问题


I've created my certificate cfssl but when I generate my Kubernetes certificates with the file generated by cfssl, my Kubernetes returns the following error:

Error from server (BadRequest): error when creating "certificado.yml": CertificateSigningRequest in version "v1beta1" cannot be handled as a CertificateSigningRequest: v1beta1.CertificateSigningRequest.Spec: v1beta1.CertificateSigningRequestSpec.Usages: []v1beta1.KeyUsage: Request: decode base64: illegal base64 data at input byte 3, error found in #10 byte of ...| -d '\\n'","usages":|..., bigger context ...|,"request":"cat server.csr | base64 | tr -d '\\n'","usages":["digital signature","key encipherment",|...

I've tried without $() in the request field but it returned the same error.

my certificate.yml:

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: rasa-service.default
spec:
  groups:
  - system:authenticated
  request: $(cat server.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth

回答1:


The problem is the following line:

request: $(cat server.csr | base64 | tr -d '\n')

This line contains a Bash command substitution that shouldn't be there since kubectl cannot interpret bash code.

I suspect instead of executing the command of the example you followed, you copied the contents into a file.

Delete that file, run the cat command from the example and you will be fine, because the command will execute the substitution and fill the correct value in the request field.

The result should look something like this:

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: rasa-service.default
spec:
  groups:
  - system:authenticated
  request: authUlRGTQpSVEZNClJURk0KUlRGTQpSVEZNClJURk0KUlRGTQpSVEZNClJURk0KUlRGTQpSVEZNClJURk0=
  usages:
  - digital signature
  - key encipherment
  - server



回答2:


You can do it following way:

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: rasa-service.default
spec:
  groups:
  - system:authenticated
  request: $(cat server.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

This way it will not break or you need to place hardcoded output of cat server.csr | base64 | tr -d '\n' into yaml file.

EDIT:

I believe the csr you generated has some issues. You can run following three commands to check if you are able to create CSR

openssl genrsa -out admin.key 2048 
openssl req -new -key admin.key -out admin.csr -subj "/O=system:masters/CN=kubernetes-admin"


cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: admin_csr
spec:
  groups:
  - system:authenticated
  - system:masters
  request: $(cat admin.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF

Then check if admin_csr gets generated or not

EDIT2:

I used the same guide you mentioned in comment and I am able to generate CSR:

[root@ip-10-**-**-** cerificates]# cat <<EOF | cfssl genkey - | cfssljson -bare server
> {
>   "hosts": [
>     "ba***ta.default.svc.cluster.local",
>     "ba***ta-57f6c65474-8rdhz.default.pod.cluster.local",
>     "10.**.86.73",
>     "192.**.13.10"
>   ],
>   "CN": "ba***ta-57f6c65474-8rdhz.default.pod.cluster.local",
>   "key": {
>     "algo": "ecdsa",
>     "size": 256
>   }
> }
> EOF
2018/12/05 12:00:11 [INFO] generate received request
2018/12/05 12:00:11 [INFO] received CSR
2018/12/05 12:00:11 [INFO] generating key: ecdsa-256
2018/12/05 12:00:12 [INFO] encoded CSR
[root@ip-10-**-**-** cerificates]# ls
server.csr  server-key.pem
[root@ip-10-0-1-99 cerificates]# cat <<EOF | kubectl create -f -
> apiVersion: certificates.k8s.io/v1beta1
> kind: CertificateSigningRequest
> metadata:
>   name: ba***ta.default
> spec:
>   groups:
>   - system:authenticated
>   request: $(cat server.csr | base64 | tr -d '\n')
>   usages:
>   - digital signature
>   - key encipherment
>   - server auth
> EOF
certificatesigningrequest.certificates.k8s.io "ba***ta.default" created
[root@ip-10-**-**-** cerificates]# kubectl get csr
NAME              AGE       REQUESTOR                               CONDITION
ba***ta.default   6s        kubernetes-admin                        Pending
csr-9dcz6         59m       system:node:ip-10-**-**-**.ec2.internal   Approved,Issued
[root@ip-10-0-1-99 cerificates]#


来源:https://stackoverflow.com/questions/53616728/kubernetes-doesnt-create-certificates

标签
Kubernetes
ssl-certificate
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!