[Question] Authenticating Kubernetes API(NodeJS) client using certificate not successful

[lakshmantgld]

I know this issue is not related to the repo. I am just posting it as the question. To start with, thanks for the amazing repo.

I have deployed a Kubernetes cluster in google cloud and trying to access it using the your kubernetes client.

To do so, we need to authenticate with cluster. I tried using just the Username and Password method. I get the following error:

{ [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }

Then I tried the authentication using the CAcert, ClientCert and ClientKey. I basically hardcoded the keys instead of importing it from the files. I am calling this API from a Lambda function, where I cant store the certs in files. Doing so, I get the below error:

[Error: error:0906D06C:PEM routines:PEM_read_bio:no start line]

I specified my keys like this:

var kubeapi = K8s.api({
  "endpoint": "https://35.187.203.114",
  "version": "/api/v1",
  "auth": {
    "caCert": "LST****KIU",
    "clientCert": "LST****KIU",
    "clientKey": "LST****KIU"
  }
});

My intuition is, authentication is possible only with keys. But I think I am doing something wrong with the certs. Do I need to create some other certificates out of this or is the method of using the certs is wrong ?

[mmoonn2]

Here's an example node-k8s-client/test/kubeapi.js

var kubeapi = K8s.api({
    endpoint: 'https://192.168.99.100:8443',
    version: '/api/v1',
    auth: {
        clientCert: fs.readFileSync(`${process.env.HOME}/.minikube/apiserver.crt`).toString(),
        clientKey: fs.readFileSync(`${process.env.HOME}/.minikube/apiserver.key`).toString() ,
        caCert: fs.readFileSync(`${process.env.HOME}/.minikube/ca.crt`).toString()
    }
})

[lakshmantgld]

Thank you junjun for your quick response. Since I am not importing the certs from files, I used Buffer.from(clientCert, 'base64'). This works and thank you for giving us an amazing NodeJS kubernetes client.

[Overdrivr]

@junjun16818 Any idea why the user/password authentication method fails to work with k8s.api ? I'm encountering the same issue, however with k8s.kubectl authentication is fine.

[lakshmantgld]

@Overdrivr I think it is due to StrictSSL. Anyway the long answer to it is here: http://stackoverflow.com/questions/43486804/authenticating-kubernetes-apinodejs-client-using-certificate-not-successful

[Overdrivr]

Thanks for the link, it's exactly the info I was looking for !

I just realized that authentication is not consistent because node-k8s-client.kubectl calls the kubectl cli, that I used already "manually" and is properly configured, while node-k8s-client.api uses request to perform the http requests. Not the same stuff that runs and performs the authentication, hence, this discrepancy.