在创建用户证书以与NodeJS pg客户端一起使用以访问在GKE上运行的安全CockroachDB的最后一步时,我遇到了麻烦。 (使用root用户客户端密钥和cert都可以正常工作,但我不想将root用于pg访问)。
容器的/ cockroach-certs目录如下所示:
ca.crt client.root.crt client.root.key
和
kubectl exec -it cockroachdb-client-secure -- ./cockroach --certs-dir=/cockroach-certs cert list
显示
+-----------------------+------------------+-----------------+------------+--------------+-------+
| Usage | Certificate File | Key File | Expires | Notes | Error |
+-----------------------+------------------+-----------------+------------+--------------+-------+
| Certificate Authority | ca.crt | | 2023/09/03 | num certs: 1 | |
| Client | client.root.crt | client.root.key | 2023/09/03 | user: root | |
+-----------------------+------------------+-----------------+------------+--------------+-------+
我使用了蟑螂的client-secure.yaml(https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/client-secure.yaml)-用来为root设置CSR的同一个-但将用户名更改为xyz(已作为用户添加到数据库中)。 这成功为xyz生成了CSR,然后我批准了。
default.client.xyz 8m system:serviceaccount:default:cockroachdb Approved,Issued
并创建了预期的机密,我可以从中导出客户端密钥和证书。
default.client.xyz Opaque 2 9m
问题在于证书列表未显示client.xyz.key或client.xyz.crt,并且它们不在/ cockroach-certs目录中。如果我从default.client.xyz机密中提取它们并将它们手动复制到那里,它们将显示在证书列表中,但未分配给特定用户。
蟑螂文档使用“ cockroach cert”创建用户,但在使用kubernetes时未显示特定过程。因此,我错过了最后的难题-为什么client-secure.yaml使用-user = root来完成整个过程,却错过了使用-user = xyz的最后一步,而我还缺少什么步骤? / p>
....添加了更多信息 容器声称已写入证书文件,但实际上不存在。
$ kubectl logs fidserver-csr -c init-certs
+ /request-cert '-namespace=default' '-certs-dir=/cockroach-certs' '-type=client' '-user=fidserver' '-symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
2018/09/07 15:32:11 Looking up cert and key under secret default.client.fidserver
W0907 15:32:11.700733 1 client_config.go:529] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
2018/09/07 15:32:11 Writing cert and key to local files
wrote key file: /cockroach-certs/client.fidserver.key
wrote certificate file: /cockroach-certs/client.fidserver.crt
symlinked CA certificate file: /cockroach-certs/ca.crt -> /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
....已更新,可以在其他certs目录中重试-即使日志声称存在文件,也没有实际写入任何文件。符号链接也没有发生。
+ /request-cert '-namespace=default' '-certs-dir=/cockroach-client-certs' '-type=client' '-user=fidserver' '-symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
2018/09/08 09:35:56 Looking up cert and key under secret default.client.fidserver
W0908 09:35:56.160525 1 client_config.go:529] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
2018/09/08 09:35:56 Secret default.client.fidserver not found, sending CSR
Sending create request: default.client.fidserver for
Request sent, waiting for approval. To approve, run 'kubectl certificate approve default.client.fidserver'
2018-09-08 09:36:26.718183601 +0000 UTC m=+30.564697651: waiting for 'kubectl certificate approve default.client.fidserver'
2018-09-08 09:36:56.718422397 +0000 UTC m=+60.564936446: waiting for 'kubectl certificate approve default.client.fidserver'
2018-09-08 09:37:26.718657743 +0000 UTC m=+90.565171864: waiting for 'kubectl certificate approve default.client.fidserver'
2018-09-08 09:37:56.718959817 +0000 UTC m=+120.565473905: waiting for 'kubectl certificate approve default.client.fidserver'
CSR approved, but no certificate in response. Waiting some more
request default.client.fidserver Approved at 2018-09-08 09:38:00 +0000 UTC
reason: KubectlApprove
message: This CSR was approved by kubectl certificate approve.
2018/09/08 09:38:00 Storing cert and key under secret default.client.fidserver
2018/09/08 09:38:01 Writing cert and key to local files
wrote key file: /cockroach-client-certs/client.fidserver.key
wrote certificate file: /cockroach-client-certs/client.fidserver.crt
symlinked CA certificate file: /cockroach-client-certs/ca.crt -> /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
现在已记录为蟑螂的问题。 https://github.com/cockroachdb/cockroach/issues/29968
答案 0 :(得分:2)
这已在the github issue中调试。
request-cert初始化容器获取的证书和密钥是通过--user参数请求的用户的证书和密钥。
这意味着该容器将只能访问一组客户端凭据。该卷也不会用其他证书更新,因为这仅在初始化时完成。
要为其他用户请求证书,必须创建一个新的pod,其中包括:
request-cert初始化容器,其中包含--user=<desired user> <desired user>中/cockroach-certs的客户端证书