kube-ops-view
kube-ops-view copied to clipboard
Published
20 hours ago •
hjacobs
hjacobs
In-cluster setup not reading ca.crt?
So I've installed kube-ops-view with the helm chart with the default options. My understanding is it should try to use the in-cluster service account to talk to Kubernetes, right?
Well, I get an SSL error:
2017-04-20T08:48:27.498104048Z ERROR:kube_ops_view.update:Failed to query cluster 10-210-0-1:443 (https://10.210.0.1:443): SSLError (try 1, wait 5 seconds)
All of the other services that use in-cluster service accounts seem to be fine with the SSL cert, however. Should this just work? If not, what do I need to do to make this work?
Here is the ca.crt that is presented to the container:
/ # cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Tableflippers Anonymous, OU=Technical Operations, CN=Tableflippers Anonymous Global CA
Validity
Not Before: Nov 17 07:03:40 2016 GMT
Not After : Nov 16 07:03:40 2021 GMT
Subject: C=US, O=Tableflippers Anonymous, OU=Technical Operations, CN=Tableflippers Anonymous Infrastructure CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:de:00:bd:ff:1e:39:42:49:ec:f7:bc:21:bb:b0:
f1:42:0d:ec:34:d6:01:eb:f9:59:b3:90:24:df:cb:
9f:c8:4c:26:f5:d7:8c:0b:b3:bc:83:8f:fc:54:72:
1b:da:cc:54:63:4e:83:da:c6:f4:7a:23:fa:90:76:
39:6e:28:7e:e2:91:16:b0:35:ba:b1:51:e1:ee:38:
a3:97:cf:b5:61:94:7f:f7:0d:d0:4c:50:95:b9:93:
b6:b7:75:8b:64:1e:13:11:10:2b:92:99:67:00:36:
8e:40:b7:d9:0d:73:7b:03:54:c7:b2:48:4f:65:db:
1d:a6:74:7a:57:fd:f7:4a:18:c3:68:f5:55:da:5c:
6f:21:83:75:81:3f:d4:0a:42:18:40:64:18:1a:48:
ab:92:00:e2:1a:b7:6d:4e:f7:31:06:96:47:6d:7b:
37:8a:73:1b:03:3f:bf:70:cd:4e:3c:19:86:54:86:
ca:d8:c8:8e:4f:fa:8e:13:be:54:6a:ea:95:76:72:
49:74:56:10:d0:67:b1:98:83:42:22:33:53:81:19:
f0:e0:3b:b8:43:b9:53:90:71:aa:7a:ed:52:a8:7e:
e8:7e:8b:00:bb:03:bc:76:f1:d0:cf:78:51:9b:96:
72:b9:58:bf:df:1d:3e:9b:1d:6d:60:3e:17:e8:59:
ac:89
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E7:54:F8:72:09:58:CA:92:15:03:A7:FA:9D:F5:3A:E1:CA:19:67:C8
X509v3 Authority Key Identifier:
keyid:4D:36:AA:62:44:1A:E6:3D:29:5B:82:52:5F:6B:24:CA:9E:59:0F:6F
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.tblflp.zone/Tableflippers-Anonymous-Global-CA.crl
Authority Information Access:
CA Issuers - URI:http://pki.tblflp.zone/Tableflippers-Anonymous-Global-CA.crt
Signature Algorithm: sha256WithRSAEncryption
20:67:49:b3:60:0a:17:1b:11:91:a7:d9:a7:a1:1c:da:dc:d4:
50:d8:01:fe:21:82:81:d9:91:c2:d3:a9:3e:81:7b:dc:de:33:
2d:50:7e:94:96:36:fc:ac:67:4f:4c:fd:f5:7d:d6:33:c0:8b:
61:82:60:11:38:0e:e8:2f:e6:d4:6b:8d:95:b4:c2:7f:32:0a:
eb:23:e3:a8:96:f8:17:33:32:e5:1f:96:2f:3b:19:12:9b:23:
b6:83:29:5c:6f:bf:30:4e:a3:38:21:23:78:d5:39:de:f5:b6:
2a:a4:de:59:a3:6b:57:de:21:83:f3:61:dd:13:80:72:aa:34:
fa:3e:a8:8e:03:d9:ed:df:5d:d6:4b:ee:95:22:c3:7c:09:af:
bb:80:8a:1a:bd:7a:bb:d3:c5:db:91:ab:12:92:9d:03:27:94:
ff:d9:62:6d:cb:76:19:e5:b7:0d:3f:db:e0:00:b0:89:f8:64:
47:f7:b9:7d:06:ba:4d:2c:2d:23:b8:f2:7a:b4:66:e2:f6:da:
b6:18:77:8f:57:7d:9b:0f:fa:d3:16:7a:7e:06:d1:23:84:fb:
cb:7e:63:70:49:be:3e:73:76:ce:16:8e:81:f5:6e:ec:d5:33:
93:32:e0:3d:89:a2:fd:98:5b:d5:05:a3:05:ee:55:2d:5b:9c:
55:f6:cb:28
-----BEGIN CERTIFICATE-----
MIIElTCCA32gAwIBAgIBAjANBgkqhkiG9w0BAQsFADB6MQswCQYDVQQGEwJVUzEg
MB4GA1UECgwXVGFibGVmbGlwcGVycyBBbm9ueW1vdXMxHTAbBgNVBAsMFFRlY2hu
aWNhbCBPcGVyYXRpb25zMSowKAYDVQQDDCFUYWJsZWZsaXBwZXJzIEFub255bW91
cyBHbG9iYWwgQ0EwHhcNMTYxMTE3MDcwMzQwWhcNMjExMTE2MDcwMzQwWjCBgjEL
MAkGA1UEBhMCVVMxIDAeBgNVBAoMF1RhYmxlZmxpcHBlcnMgQW5vbnltb3VzMR0w
GwYDVQQLDBRUZWNobmljYWwgT3BlcmF0aW9uczEyMDAGA1UEAwwpVGFibGVmbGlw
cGVycyBBbm9ueW1vdXMgSW5mcmFzdHJ1Y3R1cmUgQ0EwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDeAL3/HjlCSez3vCG7sPFCDew01gHr+VmzkCTfy5/I
TCb114wLs7yDj/xUchvazFRjToPaxvR6I/qQdjluKH7ikRawNbqxUeHuOKOXz7Vh
lH/3DdBMUJW5k7a3dYtkHhMRECuSmWcANo5At9kNc3sDVMeySE9l2x2mdHpX/fdK
GMNo9VXaXG8hg3WBP9QKQhhAZBgaSKuSAOIat21O9zEGlkdtezeKcxsDP79wzU48
GYZUhsrYyI5P+o4TvlRq6pV2ckl0VhDQZ7GYg0IiM1OBGfDgO7hDuVOQcap67VKo
fuh+iwC7A7x28dDPeFGblnK5WL/fHT6bHW1gPhfoWayJAgMBAAGjggEbMIIBFzAd
BgNVHQ4EFgQU51T4cglYypIVA6f6nfU64coZZ8gwHwYDVR0jBBgwFoAUTTaqYkQa
5j0pW4JSX2skyp5ZD28wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYJYIZI
AYb4QgEBBAQDAgEGME0GA1UdHwRGMEQwQqBAoD6GPGh0dHA6Ly9wa2kudGJsZmxw
LnpvbmUvVGFibGVmbGlwcGVycy1Bbm9ueW1vdXMtR2xvYmFsLUNBLmNybDBYBggr
BgEFBQcBAQRMMEowSAYIKwYBBQUHMAKGPGh0dHA6Ly9wa2kudGJsZmxwLnpvbmUv
VGFibGVmbGlwcGVycy1Bbm9ueW1vdXMtR2xvYmFsLUNBLmNydDANBgkqhkiG9w0B
AQsFAAOCAQEAIGdJs2AKFxsRkafZp6Ec2tzUUNgB/iGCgdmRwtOpPoF73N4zLVB+
lJY2/KxnT0z99X3WM8CLYYJgETgO6C/m1GuNlbTCfzIK6yPjqJb4FzMy5R+WLzsZ
EpsjtoMpXG+/ME6jOCEjeNU53vW2KqTeWaNrV94hg/Nh3ROAcqo0+j6ojgPZ7d9d
1kvulSLDfAmvu4CKGr16u9PF25GrEpKdAyeU/9libct2GeW3DT/b4ACwifhkR/e5
fQa6TSwtI7jyerRm4vbathh3j1d9mw/60xZ6fgbRI4T7y35jcEm+PnN2zhaOgfVu
7NUzkzLgPYmi/Zhb1QWjBe5VLVucVfbLKA==
-----END CERTIFICATE-----
And the cert on the master:
$ openssl s_client -connect k8s-master.tblflp.zone:443 < /dev/null | openssl x509 -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Tableflippers Anonymous, OU=Technical Operations, CN=Tableflippers Anonymous Infrastructure CA
Validity
Not Before: Mar 30 18:23:23 2017 GMT
Not After : Mar 29 18:23:23 2022 GMT
Subject: C=US, O=Tableflippers Anonymous, OU=Technical Operations, CN=k8s-m01.tblflp.zone
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c9:f1:b5:78:b5:f4:71:50:00:ac:ad:e2:bf:90:
23:37:a6:b9:a7:d3:bd:16:7a:45:4b:e8:35:ad:cb:
5c:37:13:9b:d6:f4:49:c4:cc:3f:05:cb:6a:f9:14:
85:55:82:d5:ef:42:b7:69:11:b8:38:14:ed:c7:9d:
d8:3d:a5:b4:9d:79:6d:2b:1e:92:ae:f0:cf:f9:73:
5c:c0:21:d1:a3:2e:17:a8:47:72:55:83:44:e3:97:
55:1b:6a:df:1e:ec:0c:3c:42:86:3c:9a:44:70:86:
95:de:d8:69:d3:5c:04:54:52:91:e9:27:6e:eb:40:
ec:ac:84:19:02:22:fc:c8:68:1a:6d:b6:35:d3:09:
89:c2:f0:57:1a:59:2c:d1:e7:e9:34:db:8b:6a:bf:
1b:28:8c:e0:2d:74:16:81:a8:c6:b9:57:7f:1b:e2:
23:a9:92:75:3e:53:64:50:80:23:0d:10:03:a6:5d:
55:18:d9:24:b3:a9:e1:bd:63:eb:e3:95:27:3b:a7:
ec:67:78:4b:f8:8d:d8:8b:f0:e1:5f:0f:6d:64:67:
4c:a4:42:4d:0f:cd:06:4f:97:62:49:52:8f:ac:7c:
23:6e:21:e9:98:2c:dc:5b:14:68:c3:f1:5f:6d:47:
7d:e6:76:25:55:5a:e7:28:c2:65:3a:8b:06:5e:39:
0e:47
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.tblflp.zone/Tableflippers-Anonymous-Infrastructure-CA.crl
Authority Information Access:
CA Issuers - URI:http://pki.tblflp.zone/Tableflippers-Anonymous-Infrastructure-CA.crt
X509v3 Subject Alternative Name:
DNS:k8s-m01.tblflp.zone, DNS:k8s-master.tblflp.zone, IP Address:10.210.0.1, IP Address:167.114.0.134
Signature Algorithm: sha256WithRSAEncryption
79:ef:78:8a:fd:f5:55:07:05:e1:e3:6c:f0:b5:83:66:1e:b0:
78:e8:82:cb:31:28:b2:d9:ab:f2:44:3e:54:a1:1c:c7:46:e2:
9a:f0:0f:a0:25:f0:59:81:2a:5d:e4:35:d4:b8:bf:db:14:9b:
ff:7c:87:e3:9d:9a:99:52:8d:1f:1f:1e:2b:01:69:69:4d:bb:
4e:5c:6a:b8:21:60:77:5a:16:62:9d:2a:31:a2:56:06:df:28:
0b:2b:a5:25:ec:0c:52:53:ea:73:8a:58:28:67:96:a2:ca:3c:
b3:53:89:e4:9d:4d:2f:cf:7c:a6:14:5d:94:3c:5b:c4:c9:9b:
85:1b:a0:72:ae:ba:fc:1a:76:5e:e2:da:ac:bf:0a:51:34:f3:
a8:88:61:2d:39:72:31:9b:96:b1:20:2e:5a:82:8d:11:7b:d1:
44:0e:1c:30:3d:67:9d:f7:9b:dc:ed:e1:24:b9:aa:4e:ab:22:
14:d1:dc:73:92:50:f6:af:44:9e:df:fa:53:5c:3c:e0:e3:c4:
b2:7a:5a:a6:81:39:11:df:f9:44:97:dd:3f:d6:cf:a7:9a:ea:
03:e0:75:32:7d:4b:bb:45:76:1c:40:c0:22:ae:a3:18:04:16:
9d:97:da:0c:86:8c:13:da:d6:f5:90:a6:b0:63:be:c6:e1:08:
46:95:bb:d5
-----BEGIN CERTIFICATE-----
MIIEhTCCA22gAwIBAgIBDzANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCVVMx
IDAeBgNVBAoMF1RhYmxlZmxpcHBlcnMgQW5vbnltb3VzMR0wGwYDVQQLDBRUZWNo
bmljYWwgT3BlcmF0aW9uczEyMDAGA1UEAwwpVGFibGVmbGlwcGVycyBBbm9ueW1v
dXMgSW5mcmFzdHJ1Y3R1cmUgQ0EwHhcNMTcwMzMwMTgyMzIzWhcNMjIwMzI5MTgy
MzIzWjBsMQswCQYDVQQGEwJVUzEgMB4GA1UECgwXVGFibGVmbGlwcGVycyBBbm9u
eW1vdXMxHTAbBgNVBAsMFFRlY2huaWNhbCBPcGVyYXRpb25zMRwwGgYDVQQDDBNr
OHMtbTAxLnRibGZscC56b25lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAyfG1eLX0cVAArK3iv5AjN6a5p9O9FnpFS+g1rctcNxOb1vRJxMw/Bctq+RSF
VYLV70K3aRG4OBTtx53YPaW0nXltKx6SrvDP+XNcwCHRoy4XqEdyVYNE45dVG2rf
HuwMPEKGPJpEcIaV3thp01wEVFKR6Sdu60DsrIQZAiL8yGgabbY10wmJwvBXGlks
0efpNNuLar8bKIzgLXQWgajGuVd/G+IjqZJ1PlNkUIAjDRADpl1VGNkks6nhvWPr
45UnO6fsZ3hL+I3Yi/DhXw9tZGdMpEJND80GT5diSVKPrHwjbiHpmCzcWxRow/Ff
bUd95nYlVVrnKMJlOosGXjkORwIDAQABo4IBGTCCARUwCQYDVR0TBAIwADALBgNV
HQ8EBAMCBeAwVQYDVR0fBE4wTDBKoEigRoZEaHR0cDovL3BraS50YmxmbHAuem9u
ZS9UYWJsZWZsaXBwZXJzLUFub255bW91cy1JbmZyYXN0cnVjdHVyZS1DQS5jcmww
YAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRwOi8vcGtpLnRibGZscC56
b25lL1RhYmxlZmxpcHBlcnMtQW5vbnltb3VzLUluZnJhc3RydWN0dXJlLUNBLmNy
dDBCBgNVHREEOzA5ghNrOHMtbTAxLnRibGZscC56b25lghZrOHMtbWFzdGVyLnRi
bGZscC56b25lhwQK0gABhwSncgCGMA0GCSqGSIb3DQEBCwUAA4IBAQB573iK/fVV
BwXh42zwtYNmHrB46ILLMSiy2avyRD5UoRzHRuKa8A+gJfBZgSpd5DXUuL/bFJv/
fIfjnZqZUo0fHx4rAWlpTbtOXGq4IWB3WhZinSoxolYG3ygLK6Ul7AxSU+pzilgo
Z5aiyjyzU4nknU0vz3ymFF2UPFvEyZuFG6Byrrr8GnZe4tqsvwpRNPOoiGEtOXIx
m5axIC5ago0Re9FEDhwwPWed95vc7eEkuapOqyIU0dxzklD2r0Se3/pTXDzg48Sy
elqmgTkR3/lEl90/1s+nmuoD4HUyfUu7RXYcQMAirqMYBBadl9oMhowT2tb1kKaw
Y77G4QhGlbvV
-----END CERTIFICATE-----
Yes, it should just work. The ca.crt file is read automatically. I will check later..
