kubeletctl icon indicating copy to clipboard operation
kubeletctl copied to clipboard

Published 20 hours ago verified publisher icon cyberark

tls: failed to find any PEM data in certificate input

Open zeph opened this issue 4 years ago • 15 comments

tls: failed to find any PEM data in certificate input

this is all I get back... my KUBECONFIG is properly set, I daily work with it switching between several configurations

seems the kubeletctl is not handling this yaml section properly

clusters:
- cluster:
    certificate-authority-data: xyz

zeph avatar Dec 11 '20 12:12 zeph

Hi, thank you for reporting. I will try to reproduce it and check.

Meanwhile, does it work if you run it with the certificate file as arguments? like that:

kubeletctl.exe pods -s <node_ip> --cacert /etc/kubernetes/pki/ca.crt --cert /var/lib/kubelet/pki/kubelet-client-current.pem --key /var/lib/kubelet/pki/kubelet-client-current.pem

Are you using cloud deployment such ask AKE, EKS, etc or something else? What are the authentication and authorization settings in the kubelet config file (/var/lib/kubelet/config.yaml) inside the target node? I am interesting in these fields (an example):

apiVersion: kubelet.config.k8s.io/v1beta1 
authentication: 
  anonymous: 
    enabled: false      
    ... 
authorization: 
    mode: Webhook

g3rzi avatar Dec 11 '20 13:12 g3rzi

@zeph any update?

g3rzi avatar Feb 15 '21 08:02 g3rzi

getting the same issue

export KUBECONFIG=~/.kube/config

[] Using KUBECONFIG environment variable [] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch 2021/02/24 18:30:23 tls: failed to find any PEM data in certificate input

hxhBrofessor avatar Feb 24 '21 23:02 hxhBrofessor

same here

[*] Using KUBECONFIG environment variable
[*] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
2021/10/28 15:13:34 tls: failed to find any PEM data in certificate input

pavankumar-go avatar Oct 28 '21 09:10 pavankumar-go

@zeph any update?

I didn't step into this in a long time, sorry... I have nothing to add (but seems some other folks are stepping into it)

zeph avatar Nov 10 '21 17:11 zeph

this tool is unable to read certificate-authority-data from Kubeconfig

kubeletctl [] Using KUBECONFIG environment variable [] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch 2022/05/10 03:22:05 tls: failed to find any PEM data in certificate input

navzen2000 avatar May 10 '22 10:05 navzen2000

Hi everyone,

We did number of tests from two machines and it worked for us. We noticed that kubeletctl knows to read PEM fields, the problem is caused by a bed PEM inside the config file.

Do you use the following fields?

  • certificate-authority-data
  • client-certificate-data
  • client-key-data

If yes, these fields should be in base64. It also shouldn't have multiple rows, the base64 should be in one row.

Can you please share with us an example of how it appears in your config file? No need to share private data, you can blue most of it, we just want to understand.

g3rzi avatar Sep 11 '22 11:09 g3rzi

We were able to reproduce it by using a wrong data inside the field client-ceritficate-data.
For example:

 client-ceritficate-data: MIIDCjCCAfKg...zraDpdn4jg=

You can get it by running:

 cat /root/.minikube/ca.crt

Fix it to be one linear and add it to client-ceritficate-data, inside the config file.

I explained it to someone else in #8 that expirienced a similar issue: The certificate-authority-data, client-certificate-data and client-key-data should be in base64: image

g3rzi avatar Sep 12 '22 06:09 g3rzi

Another way with a misconfigured config file:

root@manager1:/home/cyber# ./kubeletctl_linux_amd64 pods
[*] Using KUBECONFIG environment variable
[*] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
2022/09/12 06:23:01 tls: failed to find any PEM data in certificate input
root@manager1:/home/cyber# cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
    extensions:
    - extension:
        last-update: Mon, 05 Sep 2022 12:55:19 UTC
        provider: minikube.sigs.k8s.io
        version: v1.26.1
      name: cluster_info
    server: https://192.168.49.2:8443
  name: minikube
contexts:
- context:
    cluster: minikube
    extensions:
    - extension:
        last-update: Mon, 05 Sep 2022 12:55:19 UTC
        provider: minikube.sigs.k8s.io
        version: v1.26.1
      name: context_info
    namespace: default
    user: minikube
  name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
  user:
root@manager1:/home/cyber#

g3rzi avatar Sep 12 '22 06:09 g3rzi

sorry @g3rzi ...I can't recall how and if I circumvented this... I has a specific use case in which I had to be sure I had only one configuration in there and not several as I normally do, composing the env variable KUBE_CONFIG ... I'll close it, unless someone else can provide you more info (I guess they can reopen it)

thanks for the effort spent looking into it, I feel guilty I can't provide more info

zeph avatar Sep 12 '22 09:09 zeph

Thanks, sorry for the delay. I will keep watching for someone having the same issue. From our checks from different computers it seems a wrong config file but maybe we are missing something.

g3rzi avatar Sep 12 '22 09:09 g3rzi

Running into same issue, I am on EKS. Structure of ~/.kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJTRIMMEDGSUNBVEUtLS0tLQo=
    server: https://TRIMMED.eks.amazonaws.com
  name: arn:aws:eks:TRIMMED:cluster/TRIMMED-cluster
contexts:
- context:
    cluster: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
    user: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
  name: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
current-context: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - TRIMMED
      - eks
      - get-token
      - --cluster-name
      - TRIMMED-cluster
      command: aws
      env:
      - name: AWS_PROFILE
        value: my-profile

karthikeayan avatar Oct 19 '22 06:10 karthikeayan

@karthikeayan thanks, I supposed you removed some of the data because of publishing it here right?

certificate-authority-data: LS0tLS1CRUdJTiBDRVJTRIMMEDGSUNBVEUtLS0tLQo=

If yes, can you make sure it is in one line?

g3rzi avatar Oct 19 '22 08:10 g3rzi

@g3rzi you are right. I removed it to reduce noise. Yes, it is one line. I read your comments above and I don't think I have any issues with certificate-authority-data.

karthikeayan avatar Oct 19 '22 17:10 karthikeayan

OK, interesting. We were able to reproduce it on EKS, we are working on it, thank you.

g3rzi avatar Oct 19 '22 19:10 g3rzi

Quick update, the problem is because we are not supporting:

- name: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - TRIMMED
      - eks
      - get-token
      - --cluster-name
      - TRIMMED-cluster
      command: aws

We are working to support the execution of aws to get the token for EKS. Btw, by using the kubiscan-sa service account it will work:

--cacert ca.crt -s <node_ip> --token eyJhbG... pods

g3rzi avatar Oct 26 '22 06:10 g3rzi

Hi @karthikeayan,

We published release for version 1.9 which supports EKS, you can check it.

g3rzi avatar Oct 31 '22 13:10 g3rzi