certificate-init-container icon indicating copy to clipboard operation
certificate-init-container copied to clipboard

Published 20 hours ago verified publisher icon kelseyhightower

getting empty tls.crt

Open 1e1f opened this issue 7 years ago • 2 comments

context: kubernetes 1.6.0, mongodb stateful set with certificate-init-container

problem: after approving the csr request and a successful exit of the init container, mongo pod has mounted the tls directory, in which a valid key file appears to be present, but the corresponding crt file appears to be empty.

here is the result of executing commands in that container:

Leifs-MacBook-Pro:devops leif$ kubectl --namespace=www exec mongo-0 --container mongo ls /etc/tls
tls.crt
tls.csr
tls.key
Leifs-MacBook-Pro:devops leif$ kubectl --namespace=www exec mongo-0 --container mongo cat /etc/tls/tls.crt
Leifs-MacBook-Pro:devops leif$ kubectl --namespace=www exec mongo-0 --container mongo cat /etc/tls/tls.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDgOIfy6cg0QOa5xdsHqVaTQUMNjx3noKrzIhFcZjkhyEDHBGg7
q79vL412QGh/J4jABDDBlBtJYht6Joif9/CWsJDK8nukCtIUGAkanfqN9LYw6Kx0
+zekhD4VYuqBkdHhX4gPergQEx2KPwYTiMcopHU7ZjcWHhg5KwjKDxWyYQIDAQAB
AoGBAMMw80iIM/0pMrIuh8pXpEJ04cZ//GyT9b3KvopNgxbhmWKnd4XascA9CU0U
LOPkqqtd+oPKRybO/VSNDwsTcKBcH+By2apnruV5Fyq7ajZ9p9FcfKWB8ULJpTGV
ZvxWJmlSN1sBxzHRavxfYUhPxKMta2cAoDcqgd2x6JXg8/txAkEA4dtD9/pS59e0
vfsBl7pN6aobMXFTcs5fNi43u/PgA1BKR8B1uEb79+DqZdlTx74eGQ8rjfA6cJzF
E1fmBXqqdwJBAP4lYUY9DZKBH/m9hw4pe51s1PS/4ysDNklzBFsFRO/mjZhlWEc3
EhfpqIHCC958D2Y7zyPlwejHkoQt/jewZ+cCQEDFrEFyxdH9l7UgRj2oTW3kvfW5
BXCYZM/aA1vgve7VWOgo9tnJabuWAkMBR7ix+lm/cwM60Ne47f/1Jl+N5VMCQCvy
wNiJlEBCbgoc2S78w3CcslLEn/7/JjMbXaRzy9EEeHXjCJoADvPtpwMRUEYgA/W0
4AQgJiEf6dlLrstoiP8CQFMhrjexarF7GkqwdL5uHD+3V8EdkVEh9LPKcEX2zO9e
r6ULfXqfGJrDmH25MRCD3P6AYVubWzQbCUmpCxM1esA=
-----END RSA PRIVATE KEY-----

happy to provide more context or the associated yaml files

1e1f avatar Apr 11 '17 00:04 1e1f

ok logging the result of csr.GetStatus() returns with no value for Certificate

conditions:< type:"Approved" reason:"KubectlApprove" message:"This CSR was approved by kubectl certificate approve." lastUpdateTime:<seconds:1491870347 nanos:0 >

I'll assume that part of the API is a stub for now then or something else is up, I'm not a go programmer or experienced with the go kubernetes API so I'm a bit out of my depth . . . just very excited about the possibility of automatic tls from the cluster ca ;)

I hope that info helps, source here:

https://github.com/1e1f/certificate-init-container/blob/master/main.go

1e1f avatar Apr 11 '17 19:04 1e1f

@1e1f I just had a similar issue, so hopefully the root cause is the same. If you're testing locally with minikube, you'll need to start the minikube cluster with extra config options to enable the certificates controller. Without these options, the minikube cluster cannot sign CSRs, and therefore, will not populate the certificate field.

This is currently an open issue in minikube. I resolved it by starting my cluster with the following command:

minikube start --kubernetes-version=v1.7.0 \
  --extra-config=controller-manager.ClusterSigningCertFile="/var/lib/localkube/certs/ca.crt" \
  --extra-config=controller-manager.ClusterSigningKeyFile="/var/lib/localkube/certs/ca.key"

amlweems avatar Jul 19 '17 23:07 amlweems