x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

GoogleCloudPlatform / flink-on-k8s-operator

[DEPRECATED] Kubernetes operator for managing the lifecycle of Apache Flink and Beam applications.

Apache License 2.0

658 stars 266 forks source link

x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 #390

Closed nice1517 closed 3 years ago

nice1517 commented 3 years ago

when i perform kubectl apply -f config/samples/flinkoperator_v1beta1_flinksessioncluster.yaml An error is as follows: Error from server (InternalError): error when creating "config/samples/flinkoperator_v1beta1_flinksessioncluster.yaml": Internal error occurred: failed calling webhook "mflinkcluster.flinkoperator.k8s.io": Post "https://flink-operator-webhook-service.flink-operator-system.svc:443/mutate-flinkoperator-k8s-io-v1beta1-flinkcluster?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

nice1517 commented 3 years ago

Problems caused by version conflicts

I currently use k8S 1.19 version, this version of the Go voice is 1.15, so in fact there is a vulnerability, finally changed to K8S 1.18 after the normal operation

schmichri commented 3 years ago

Downgrading is not an option. Is there any progress in the >=1.18 support?

schmichri commented 3 years ago

a workround for this bullshit is the following: Add your >=1.19 kube-api-server inside the file /etc/kubernetes/manifests/kube-apiserver.yaml an Environment variable:

    name: kube-apiserver
# um dem scheiss flink-operator webhook zu supporten machen wir hier den workaround
    env:
    - name: GODEBUG
      value: "x509ignoreCN=0"

    readinessProbe:

nice1517 commented 3 years ago

a workround for this bullshit is the following: Add your >=1.19 kube-api-server inside the file /etc/kubernetes/manifests/kube-apiserver.yaml an Environment variable:
    name: kube-apiserver
# um dem scheiss flink-operator webhook zu supporten machen wir hier den workaround
    env:
    - name: GODEBUG
      value: "x509ignoreCN=0"

    readinessProbe:

Thank you very much for the fact that it worked

schmichri commented 3 years ago

why to do you close this issue? This workaround is no solution rather a leaving the seatbelt away. The generation of the Certificate has to be adjusted. Please reopen.

yan234280533 commented 3 years ago

@schmichri I think it should be reopen too

pashtet04 commented 3 years ago

Is it a blocker if I have managed Kubernetes cluster and couldn't configure GODEBUG for kube-apiserver manifest? Should I need to fix cert generation script?