Closed cgebe closed 6 years ago
Hi @cgebe, it sounds like your Kubernetes cluster isn't configured with a certificate signer. The Kubernetes controller manager has to be configured to sign CSRs. Many provisioning systems like GKE enable this by default, but it appears as though yours may not have. I'd suggest checking on that if you're able to (i.e. you're managing your own cluster). If not, how did you create your Kubernetes cluster?
Hey @a-robinson thanks for the answer. I recognized this circumstance as well. I use rancher 2.0, seems like they did not add a cluster certificate setup yet, that's unfortunate. I am currently trying to add it.
does anyone have an example config.yml that works for signing CSR?
Part of RKE cluster.yml ..... kube-controller: extra_args: {"cluster-signing-cert-file": "/etc/kubernetes/ssl/kube-ca.pem", "cluster-signing-key-file": "/etc/kubernetes/ssl/kube-ca-key.pem"} ......
ty ty :]
Part of RKE cluster.yml ..... kube-controller: extra_args: {"cluster-signing-cert-file": "/etc/kubernetes/ssl/kube-ca.pem", "cluster-signing-key-file": "/etc/kubernetes/ssl/kube-ca-key.pem"} ......
i think i've got this added to my cluster.yml thing properly, but i'm still encountering the issue.
How do i confirm that this extra_args thing had an effect?
it works now thanks!
I get the following error when running the request-cert pod before the crdb statefulset:
Edit: I deleted the CSR and waited for a restart, now i am sitting at:
The CSR is approved. So it waits indefinitely since there is no response to the waitCh. The status stays in approved and no certificate gets issued.