search

sensu-plugins / sensu-plugins-kubernetes

Sensu plugins for Kubernetes
http://sensu-plugins.io
MIT License
28 stars 36 forks source link

Issue talking to Kube API secure #31

Open Rizbe opened 7 years ago

Rizbe commented 7 years ago

Converted my SSL certs using; openssl x509 -pubkey -noout -in ca.pem > ca.pub

./check-kube-nodes-ready.rb  -s https://IP:port/api/ --token-file /etc/kubernetes/token --ca-file /etc/kubernetes/cacert.pem  --key /etc/kubernetes/ca-key.pub --cert /etc/kubernetes/ca.pub 
Check failed to run: Unable to read client certificate: nested asn1 error, ["/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugins-kubernetes-0.1.2/lib/sensu-plugins-kubernetes/client.rb:68:in `initialize'", "/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugins-kubernetes-0.1.2/lib/sensu-plugins-kubernetes/client.rb:68:in `new'", "/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugins-kubernetes-0.1.2/lib/sensu-plugins-kubernetes/client.rb:68:in `kubeclient'", "/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugins-kubernetes-0.1.2/lib/sensu-plugins-kubernetes/cli.rb:77:in `initialize'", "/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugin-1.4.4/lib/sensu-plugin/cli.rb:57:in `new'", "/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugin-1.4.4/lib/sensu-plugin/cli.rb:57:in `block in <class:CLI>'"]

Running Ubuntu 14:04 with Sensu 28.2

majormoses commented 7 years ago

I assume this is self signed?

geekofalltrades commented 6 years ago

More readable version of your command line:

./check-kube-nodes-ready.rb \
-s https://IP:port/api/ \
--token-file /etc/kubernetes/token \
--ca-file /etc/kubernetes/cacert.pem \
--key /etc/kubernetes/ca-key.pub \
--cert /etc/kubernetes/ca.pub

First, you should be using either --cert and --key or --token-file, not both. Kubernetes authentication options are documented here: https://kubernetes.io/docs/admin/authentication/ --cert and --key are for X509 Client Cert auth, and --token-file is for Static Token File auth.

When using --key, you need to provide the private key associated with the cert, not the public key. And then, that will only work if the apiserver is configured correctly with the --client-ca-file option.

Finally, I don't think you want the /api URL on the end of your apiserver in this call. You should have scheme, host, and port there.

majormoses commented 6 years ago

@Rizbe does that help?