1

I'm trying to generate another kubeconfig for a microk8s cluster. For this I chose the certificates approach and I'm using the following script to generate the certificates, create the certificate signing request and populate the kubeconfig file..

rm -rf ./certs_dir || true
mkdir ./certs_dir
sleep 5

openssl genrsa -out ./certs_dir/$USER_NAME.key 2048
openssl req -new -key ./certs_dir/$USER_NAME.key -out ./certs_dir/$USER_NAME.csr -subj "/CN=$USER_NAME"

CERT_S_REQ="
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: user-$USER_NAME-csr
spec:
  groups:
  - system:authenticated
  request: $(cat $USER_NAME.csr | base64)
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 864000000
  usages:
  - digital signature
  - key encipherment
  - client auth
"
export KUBECONFIG=../output/$NAME-kubeconfig.yaml

echo -e "$CERT_S_REQ" > ./certs_dir/user_csr.yaml
kubectl apply -f ./certs_dir/user_csr.yaml


kubectl get csr

kubectl certificate approve user-$USER_NAME-csr
sleep 10
kubectl get csr user-$USER_NAME-csr -o jsonpath='{.status.certificate}'  | base64 -D > ./certs_dir/$USER_NAME.crt


kubectl create rolebinding user-$USER_NAME --clusterrole=cluster-admin --user=$USER_NAME
APISERVER=$(kubectl config view --raw -o 'jsonpath={..cluster.server}')
unset KUBECONFIG
kubectl config set-credentials "$USER_NAME" \
  --client-certificate="./certs_dir/$USER_NAME.crt" \
  --client-key="./certs_dir/$USER_NAME.key"  \
  --kubeconfig=../output/$USER_NAME.yaml \
  --embed-certs=true

kubectl config set-cluster $CLUSTER_NAME --server=$APISERVER --kubeconfig=../output/$USER_NAME.yaml
kubectl config set-context default --user=$USER_NAME --cluster=$CLUSTER_NAME --kubeconfig=../output/$USER_NAME.yaml
kubectl config use-context default --kubeconfig=../output/$USER_NAME.yaml

Everything seems to work, but when trying to use the new kubeconfig file with the embedded certs it does not work, failing with following error whenever trying to execute a kubectl command

error: tls: private key does not match public key

Did I miss something?

I'm on MAC OS, running the microk8s cluster via multipass.

The microk8s cluster has the following enabled: ingress, storage, dns, rbac and also dashboard install: https://raw.githubusercontent.com/kubernetes/dashboard/v2.3.1/aio/deploy/recommended.yaml

anarxz
  • 817
  • 1
  • 14
Andrei Terecoasa
  • 561
  • 2
  • 7
  • 25
  • Could you please also provide your Ingress configuration to check? – anarxz Feb 22 '22 at 23:58
  • Hey. I have no ingress configured. I'm working with the base microk8s config and the mentioned addons enabled. The ingress controller is nginx (https://github.com/kubernetes/ingress-nginx) – Andrei Terecoasa Feb 24 '22 at 08:25
  • It looks like unfortunately, I couldn't reproduce your issue, certificates work fine for me - what exact command are you trying to apply with them? – anarxz Mar 08 '22 at 00:22

0 Answers0