search

alex1989hu / kubelet-serving-cert-approver

Kubelet Serving TLS Certificate Signing Request Approver
Apache License 2.0
82 stars 8 forks source link

Certificates doesn't get auto-approved, because of different usages #139

Closed ajgon closed 1 year ago

ajgon commented 1 year ago

I'm running talos linux with kubernetes 1.27.1. This is how my CSR looks like:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  creationTimestamp: "2023-04-23T18:27:29Z"
  generateName: csr-
  name: csr-cw62j
  resourceVersion: "9332"
  uid: c0abc145-16d9-4b6d-a5de-a16b8543f6e1
spec:
  groups:
  - system:nodes
  - system:authenticated
  request: "<cert base64>"
  signerName: kubernetes.io/kubelet-serving
  usages: # problematic part
  - digital signature
  - server auth
  username: system:node:mynode

I'm not sure, if it's a talos thingy, or k8s 1.27 - but key encipherment usage is missing as stated here: https://github.com/alex1989hu/kubelet-serving-cert-approver/blob/066ee79b86a75b0d3fb0f705fa61bc9e1eb79fc9/controller/certificatesigningrequest/helper.go#L60-L64 .

I'm happy to provide patch/PR, but as I'm not k8s expert, before I do - I want to ensure, isn't this me doing something wrong, or it falls into "1.27 is not supported yet" category? :)

Edit: Okay, it's 1.27 - out of curiosity, I've spun 1.26.4 cluster, and CSR is as expected there:

spec:
  usages:
    - digital signature
    - key encipherment
    - server auth
Sycrosity commented 1 year ago

having the exact same issue with talos linux and k8s v1.27.1 on a fresh install - did you manage to fix your issue on the v1.27.1 cluster?

ajgon commented 1 year ago

having the exact same issue with talos linux and k8s v1.27.1 on a fresh install - did you manage to fix your issue on the v1.27.1 cluster?

Unfortunatelly, no. I manually accepted all the CSRs, which should be sufficient for now...

alex1989hu commented 1 year ago

dear @ajgon @Sycrosity: here is the breaking change https://github.com/kubernetes/kubernetes/pull/111660

The plan is to wait for controller-runtime k8s v1.27 compatibility https://github.com/kubernetes-sigs/controller-runtime/pull/2189 than apply changes and cut first v0.7 release

@ajgon thanks for submitting the PR https://github.com/alex1989hu/kubelet-serving-cert-approver/pull/140

jlec commented 1 year ago

@alex1989hu all upstream PRs are merged. What are next steps here?

alex1989hu commented 1 year ago

@jlec we must wait for controller-runtime release with k8s v1.27 support

netthier commented 1 year ago

@ajgon Could you please elaborate on how you manually accepted these CSRs? I'm also encountering this bug on one of my nodes and not being able to access any logs due to tls: internal error is getting a bit annoying :v

rwunderer commented 1 year ago

@netthier for me this works:

kubectl certificate approve $(kubectl get csr --sort-by=.metadata.creationTimestamp | grep Pending | awk '{print $1}')
ajgon commented 1 year ago

@netthier @rwunderer Yup, that's the way :)

alex1989hu commented 1 year ago

@ajgon @Sycrosity @jlec @rwunderer @netthier @rwunderer I have just released 0.7.0 image: https://github.com/alex1989hu/kubelet-serving-cert-approver/releases/tag/v0.7.0