search

morvencao / kube-sidecar-injector

A Kubernetes mutating webhook server that implements sidecar injection
Apache License 2.0
628 stars 454 forks source link

missing required field "signerName" #29

Closed daniel-afo closed 2 years ago

daniel-afo commented 3 years ago

Hello,

As im using the newest kubernetes Version 1.22.0 i have to use the apiVersion certificates.k8s.io/v1 instead of certificates.k8s.io/v1beta1. After deployment of webhook-create-signed-cert.sh I got this failure:

error: error validating "STDIN": error validating data: ValidationError(CertificateSigningRequest.spec): missing required field "signerName" in io.k8s.api.certificates.v1.CertificateSigningRequestSpec; if you choose to ignore these errors, turn validation off with --validate=false

Can someone tell me which signerName has to be set?

Greetings

Daniel

daniel-afo commented 3 years ago

Hey,

ok, i found the value (hopefully it is the right).

i changed in webhook-create-signed-cert.sh under the section "# create server cert/key CSR and send to k8s API"

this 

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ${csrName}
spec:
  groups:
  - system:authenticated
  request: $(< "${tmpdir}"/server.csr base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

to that:

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${csrName}
spec:
  groups:
  - system:authenticated
  request: $(< "${tmpdir}"/server.csr base64 | tr -d '\n')
  signerName: kubernetes.io/kube-apiserver
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

but now i get this errors:

ERROR: After approving csr sidecar-injector-webhook-svc.sidecar-injector, the signed certificate did not appear on the resource. Giving up after 10 attempts.

has someone a idea how i can fix this?

greetings Daniel

lajiao117 commented 3 years ago

Update to this:

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${csrName}
spec:
  groups:
  - system:authenticated
  request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF

the doc: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/

morvencao commented 2 years ago

Thanks @lajiao117 @daniel-afo Fixed this in https://github.com/morvencao/kube-mutating-webhook-tutorial/pull/34