maraino
commented
1 year ago From the error, it looks like the provisioner JWK provisioner with kid B5MjjDUqy64XitU1lEQ06WEt4UL2H1VZi-_UpYybB58 doesn't have a valid encryptedKey value. At least that's my guess seeing this error compact JWE format must have five parts. That encryptedKey is generally in the ca.json, although it can be stored in a database if step-ca is configured with it.
You can get the encryptedKey value using step ca provisioner list, and you can make sure it is properly formatted if you see a private key in JWK format when you type:
echo <encyrptedKey> | step crypto jwe decryptUsing the password from the secret ecdsa-iss-step-certificates-provisioner-password.password.
PS: kid, if provided, is used by default instead of the name aksissuer.
step-issuer.values.txt Hi team, I am attempting to deploy (via the smallstep Helm chart) an instance of step-issuer on AKS. The cluster is running:
I am receiving the following error when deploying the step-issuer instance:
{"level":"error","ts":"2023-08-15T04:51:40Z","logger":"controllers.StepClusterIssuer","msg":"failed to initialize provisioner","stepclusterissuer":"/ecdsa-aks-step-issuer","error":"error parsing provisioner encrypted key: square/go-jose: compact JWE format must have five parts","errorVerbose":"square/go-jose: compact JWE format must have five parts\nerror parsing provisioner encrypted key\ngithub.com/smallstep/certificates/ca.decryptProvisionerJWK\n\t/go/pkg/mod/github.com/smallstep/certificates@v0.23.2/ca/provisioner.go:158\ngithub.com/smallstep/certificates/ca.loadProvisionerJWKByKid\n\t/go/pkg/mod/github.com/smallstep/certificates@v0.23.2/ca/provisioner.go:179\ngithub.com/smallstep/certificates/ca.NewProvisioner\n\t/go/pkg/mod/github.com/smallstep/certificates@v0.23.2/ca/provisioner.go:54\ngithub.com/smallstep/step-issuer/provisioners.NewFromStepClusterIssuer\n\t/src/provisioners/step.go:61\ngithub.com/smallstep/step-issuer/controllers.(*StepClusterIssuerReconciler).Reconcile\n\t/src/controllers/stepclusterissuer_controller.go:91\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:122\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:235\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1598","stacktrace":"github.com/smallstep/step-issuer/controllers.(*StepClusterIssuerReconciler).Reconcile\n\t/src/controllers/stepclusterissuer_controller.go:93\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:122\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:235"}The YAML config for the deployment is attached as "step-issuer.values.txt". It seems like the StepClusterIssuer information is incomplete (or wrong), but the Step-Certificates instance is issuing certificates correctly.