我已经创建了证书cfssl,但是当我使用cfssl生成的文件生成Kubernetes证书时,我的Kubernetes返回以下错误:
Error from server (BadRequest): error when creating "certificado.yml": CertificateSigningRequest in version "v1beta1" cannot be handled as a CertificateSigningRequest: v1beta1.CertificateSigningRequest.Spec: v1beta1.CertificateSigningRequestSpec.Usages: []v1beta1.KeyUsage: Request: decode base64: illegal base64 data at input byte 3, error found in #10 byte of ...| -d '\\n'","usages":|..., bigger context ...|,"request":"cat server.csr | base64 | tr -d '\\n'","usages":["digital signature","key encipherment",|...
我尝试在请求字段中没有$(),但返回了相同的错误。
我的证书。yml:
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: rasa-service.default
spec:
groups:
- system:authenticated
request: $(cat server.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
答案 0 :(得分:1)
您可以按照以下方式进行操作:
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: rasa-service.default
spec:
groups:
- system:authenticated
request: $(cat server.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
这样,它不会损坏,或者您需要将cat server.csr | base64 | tr -d '\n'的硬编码输出放入yaml文件。
编辑:
我相信您生成的csr存在一些问题。您可以运行以下三个命令来检查是否能够创建CSR
openssl genrsa -out admin.key 2048
openssl req -new -key admin.key -out admin.csr -subj "/O=system:masters/CN=kubernetes-admin"
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: admin_csr
spec:
groups:
- system:authenticated
- system:masters
request: $(cat admin.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- client auth
EOF
然后检查是否生成admin_csr
EDIT2:
我使用了您在评论中提到的相同指南,并且能够生成CSR:
[root@ip-10-**-**-** cerificates]# cat <<EOF | cfssl genkey - | cfssljson -bare server
> {
> "hosts": [
> "ba***ta.default.svc.cluster.local",
> "ba***ta-57f6c65474-8rdhz.default.pod.cluster.local",
> "10.**.86.73",
> "192.**.13.10"
> ],
> "CN": "ba***ta-57f6c65474-8rdhz.default.pod.cluster.local",
> "key": {
> "algo": "ecdsa",
> "size": 256
> }
> }
> EOF
2018/12/05 12:00:11 [INFO] generate received request
2018/12/05 12:00:11 [INFO] received CSR
2018/12/05 12:00:11 [INFO] generating key: ecdsa-256
2018/12/05 12:00:12 [INFO] encoded CSR
[root@ip-10-**-**-** cerificates]# ls
server.csr server-key.pem
[root@ip-10-0-1-99 cerificates]# cat <<EOF | kubectl create -f -
> apiVersion: certificates.k8s.io/v1beta1
> kind: CertificateSigningRequest
> metadata:
> name: ba***ta.default
> spec:
> groups:
> - system:authenticated
> request: $(cat server.csr | base64 | tr -d '\n')
> usages:
> - digital signature
> - key encipherment
> - server auth
> EOF
certificatesigningrequest.certificates.k8s.io "ba***ta.default" created
[root@ip-10-**-**-** cerificates]# kubectl get csr
NAME AGE REQUESTOR CONDITION
ba***ta.default 6s kubernetes-admin Pending
csr-9dcz6 59m system:node:ip-10-**-**-**.ec2.internal Approved,Issued
[root@ip-10-0-1-99 cerificates]#
答案 1 :(得分:0)
问题是以下几行:
request: $(cat server.csr | base64 | tr -d '\n')
此行包含一个Bash command substitution,因为kubectl无法解释bash代码,因此该行不应该出现。
我怀疑您没有执行command of the example you followed,而是将内容复制到了文件中。
删除该文件,运行示例中的cat命令,就可以了,因为该命令将执行替换并在request字段中填充正确的值。
结果应如下所示:
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: rasa-service.default
spec:
groups:
- system:authenticated
request: authUlRGTQpSVEZNClJURk0KUlRGTQpSVEZNClJURk0KUlRGTQpSVEZNClJURk0KUlRGTQpSVEZNClJURk0=
usages:
- digital signature
- key encipherment
- server