使用cfssl和kubernetes生成CA证书和私钥时出错

时间:2017-10-25 08:33:24

标签: ssl ssl-certificate kubernetes client-certificates kubernetes-security

我正在使用cfssl来生成CSR。

我的json格式低于

{
"CN": "ambika",
"key": {
  "algo": "ecdsa",
  "size": 256
},
"names": [
   {
       "O": "system:masters"
   }
 ]
}

root@vagrant-xenial64:~/bin# cat csr.json | cfssl genkey - | cfssljson  -bare server
2017/10/25 08:28:07 [INFO] generate received request
2017/10/25 08:28:07 [INFO] received CSR
2017/10/25 08:28:07 [INFO] generating key: ecdsa-256
2017/10/25 08:28:07 [INFO] encoded CSR

下一步 生成CSR yaml blob并通过运行以下命令将其发送到apiserver:

root@vagrant-xenial64:~/bin# cat csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
 name: ambika
spec:
  groups:
    - system:masters
    request: $(cat server.csr | base64 | tr -d "\n")
usages:
 - digital signature
- key encipherment
- client auth

root@vagrant-xenial64:~/bin# kubectl create -f csr.yaml
Error from server (BadRequest): error when creating "STDIN": CertificateSigningRequest in version "v1beta1" cannot be handled as a CertificateSigningRequest: [pos 684]: json: error decoding base64 binary 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIbE1JR01BZ0VBTUNveEZ6QVZCZ05WQkFvVERuTjVjM1JsYlRwdFlYTjBaWEp6TVE4d0RRWURWUVFERXdaaApiV0pwYTJFd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTdXVIbWF4bpaDU1TkpHZHh1cmN1ClQ1OU9YU0hEWUQ0d1J2S055NjlMOEkwL3RxTjF3WmRMckpYdSsxSDN5ZGp2N0FMaUJoSUh6aHRMMHd6QUN4b3AKb0FBd0NWUlLb1pJemowRUF3SURTQUF3UlFJaEFOTk9xaXFDa1lSYWgxQUFoUDQ1bWNzb09QM2p4RjIvdTB6ZgpHZW9BamhEQkFpQU55MEZkSU9vREhlZDFGd3UvTWFBditmWGJxN3V6RUdCQm9zUUFSUWFYcEE9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K': illegal base64 data at input byte 512

我正在关注此链接 Manage TLS Certificates in a Cluster

1 个答案:

答案 0 :(得分:1)

因为你在yaml文件中运行它,你需要在yaml文件中包含based64编码值。 $(cat server.csr | base64 | tr -d "\n")

在示例页面中,他们直接在shell中运行它。

cat server.csr | base64 | tr -d '\n' > o这样编码,并在yaml文件中包含它将起作用的值。

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ambika
spec:
  groups:
  - system:masters
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIbU1JR01BZ0VBTUNveEZ6QVZCZ05WQkFvVERuTjVjM1JsYlRwdFlYTjBaWEp6TVE4d0RRWURWUVFERXdaaApiV0pwYTJFd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTVWVLYmdpKzZHVHlhQlhDdk40S29SClRqMmFmRlUvVVZXV1Z5WHhJSnlMczhraE5pZDlRQnp0bzZHcDZESnYwTDdST1JuZnNXR2M2N0VVeXUzdU5LZ00Kb0FBd0NnWUlLb1pJemowRUF3SURTUUF3UmdJaEFJekkxOWxuR3ZueG1la1JyM28vSDI1ZWYyVklOWURlMkJZRQpaZUJiaHN1c0FpRUEyRXNWUE0xV2huZUMyMVFEL3ZIbXNnVFZqWWdVcHRPU3dSQ2lHSWZQekhjPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
  usages:
  - digital signature
  - key encipherment
  - server auth