search

cockroachdb / k8s

Images and utilities to run cockroach on kubernetes
Apache License 2.0
26 stars 25 forks source link

waiting for 'kubectl certificate approve test.client.root' despite approval #13

Closed cgebe closed 6 years ago

cgebe commented 6 years ago

I get the following error when running the request-cert pod before the crdb statefulset:

2018/07/20 14:10:29 Looking up cert and key under secret test.client.root
W0720 14:10:29.516979       1 client_config.go:529] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2018/07/20 14:10:29 Secret test.client.root not found, sending CSR
Sending create request: test.client.root for 
2018/07/20 14:10:29 failed to get certificate: CertificateSigningRequest.Create(test.client.root) failed: certificatesigningrequests.certificates.k8s.io "test.client.root" already exists

Edit: I deleted the CSR and waited for a restart, now i am sitting at:

2018/07/20 14:35:01 Looking up cert and key under secret test.client.root
W0720 14:35:01.555728       1 client_config.go:529] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2018/07/20 14:35:01 Secret test.client.root not found, sending CSR
Sending create request: test.client.root for 
Request sent, waiting for approval. To approve, run 'kubectl certificate approve test.client.root'
CSR approved, but no certificate in response. Waiting some more
2018-07-20 14:35:56.390760318 +0000 UTC m=+54.838340077: waiting for 'kubectl certificate approve test.client.root'
2018-07-20 14:36:26.391007553 +0000 UTC m=+84.838587413: waiting for 'kubectl certificate approve test.client.root'
2018-07-20 14:36:56.391195726 +0000 UTC m=+114.838775452: waiting for 'kubectl certificate approve test.client.root'
2018-07-20 14:37:26.391489733 +0000 UTC m=+144.839069581: waiting for 'kubectl certificate approve test.client.root'
2018-07-20 14:37:56.391885125 +0000 UTC m=+174.839465012: waiting for 'kubectl certificate approve test.client.root'

The CSR is approved. So it waits indefinitely since there is no response to the waitCh. The status stays in approved and no certificate gets issued.

a-robinson commented 6 years ago

Hi @cgebe, it sounds like your Kubernetes cluster isn't configured with a certificate signer. The Kubernetes controller manager has to be configured to sign CSRs. Many provisioning systems like GKE enable this by default, but it appears as though yours may not have. I'd suggest checking on that if you're able to (i.e. you're managing your own cluster). If not, how did you create your Kubernetes cluster?

cgebe commented 6 years ago

Hey @a-robinson thanks for the answer. I recognized this circumstance as well. I use rancher 2.0, seems like they did not add a cluster certificate setup yet, that's unfortunate. I am currently trying to add it.

aaahrens commented 5 years ago

does anyone have an example config.yml that works for signing CSR?

OlegK57 commented 5 years ago

Part of RKE cluster.yml ..... kube-controller: extra_args: {"cluster-signing-cert-file": "/etc/kubernetes/ssl/kube-ca.pem", "cluster-signing-key-file": "/etc/kubernetes/ssl/kube-ca-key.pem"} ......

aaahrens commented 5 years ago

ty ty :]

travnewmatic commented 4 years ago

Part of RKE cluster.yml ..... kube-controller: extra_args: {"cluster-signing-cert-file": "/etc/kubernetes/ssl/kube-ca.pem", "cluster-signing-key-file": "/etc/kubernetes/ssl/kube-ca-key.pem"} ......

i think i've got this added to my cluster.yml thing properly, but i'm still encountering the issue.

How do i confirm that this extra_args thing had an effect?

travnewmatic commented 4 years ago

it works now thanks!