kubeadm icon indicating copy to clipboard operation
kubeadm copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

external CA validations hardcode values of `kubelet-client-key` and `kubelet-client-certificate` incorrectly

Open rohitagarwal003 opened this issue 2 years ago • 1 comments

What keywords did you search in kubeadm issues before filing this one?

"apiserver-kubelet-client.key" "invalid or incomplete external CA"

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Versions

kubeadm version (use kubeadm version): v1.23.6

Environment:

  • Kubernetes version (use kubectl version): v1.23.6
  • Cloud provider or hardware configuration: AWS EC2 c6i
  • OS (e.g. from /etc/os-release): Amazon Linux 2
  • Others: Using an external CA (i.e. no ca.key in /etc/kubernetes/pki)

What happened?

Got the following error while running kubeadm init phase kubelet-start --config=/path/to/kubeadm.conf

invalid or incomplete external CA: failure loading key for apiserver-kubelet-client: couldn't load the private key file /etc/kubernetes/pki/apiserver-kubelet-client.key: open /etc/kubernetes/pki/apiserver-kubelet-client.key: no such file or directory

What you expected to happen?

Didn't expect this error to happen, because our kubeadm config has:

...
kind: ClusterConfiguration
apiServer:
  extraArgs:
    kubelet-client-certificate: /etc/kubernetes/pki/apiserver.crt
    kubelet-client-key: /etc/kubernetes/pki/apiserver.key
...

So, kubeadm shouldn't be expecting apiserver-kubelet-client.key. Instead it should use the value of --kubelet-client-key flag that we are passing to the API server.

How to reproduce it (as minimally and precisely as possible)?

  1. Use an external CA (i.e. no ca.key in /etc/kubernetes/pki.
  2. Have a custom value for --kubelet-client-key and --kubelet-client-certificate flags (and so don't have the apiserver-kubelet-client.key file present in /etc/kubernetes/pki.
  3. Run kubeadm init phase kubelet-start --config=/path/to/kubeadm.conf

Anything else we need to know?

https://github.com/kubernetes/kubernetes/blob/v1.23.6/cmd/kubeadm/app/phases/certs/certs.go#L356 is hardcoding APIServerKubeletClientCertAndKeyBaseName. It should instead use the value of apiServer.extraArgs.kubelet-client-key and apiServer.extraArgs.kubelet-client-certificate.

rohitagarwal003 avatar Aug 03 '22 06:08 rohitagarwal003

So, kubeadm shouldn't be expecting apiserver-kubelet-client.key. Instead it should use the value of --kubelet-client-key flag that we are passing to the API server.

extraArgs are passed to a component and not inspected by kubeadm for further use. using extraArgs like that has been establishes as a pattern which is not easy to maitain. for version component config the story is diffrent but not for flags.

i think this is a 'won't fix' status.

so don't have the apiserver-kubelet-client.key file present

even for external ca you should try complying with the required file paths.

neolit123 avatar Aug 03 '22 08:08 neolit123

i think this is a 'won't fix' status.

closing, please add more comments if needed.

neolit123 avatar Aug 25 '22 09:08 neolit123