kubernetes - kubectl 尝试创建 CertificateSigningRequest 错误:来自服务器的错误(BadRequest):创建“tcsr.yaml”时出错:CertificateSigningRequest
问题描述
我尝试创建 CertificateSigningRequest
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: vault-csr
spec:
groups:
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJRklEQ0NBd2dDQVFBd0lERWVNQdHQTFVRUF3d1ZkbUYxYkhRdWRtRjFiSFF0Y0dWeWMyOHVjM1pqTUlJQwpJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NS0NBZ0VBdFJubkFQR2R4bG1xdjhMOW1Gc29YOXJuCk9JcTVGTJMZmRDelZCVEVUEV6TDgzSWFsT1cya2lrNWFRM282d2NSTmx1S3NzeUl1c0ZUSTFqR2djWjN0eXkKSDFqMlROMmNHMHp4MGVaYTJqK3JMVkkwSmVTdXFHNkdmY01rRzRudUhZSGJraDZUYmgyalc5S0RTUTVRekNzdwo0Rlg4bDZXVEVILzdSemgwNCt0RkdFamxVVktkakJYcVqMhBc0NqemJ2Sy9GaEhLRjJwRVpza1pSNWtCbC80Cm1KLxxxxJQ0FURSBSRVFVRVNULS0tLS0K
usages:
- digital signature
- key encipherment
- server auth
但我得到:
Error from server (BadRequest): error when creating "tmp/csr.yaml": CertificateSigningRequest in version "v1beta1" cannot be handled as a CertificateSigningRequest: v1beta1.CertificateSigningRequest.Spec: v1beta1.CertificateSigningRequestSpec.Usages: []v1beta1.KeyUsage: Request: decode base64: illegal base64 data at input byte 2432, error found in #10 byte of ...|ULS0tLS0K","usages":|..., bigger context ...|pPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K","usages":["digital signature","key encipherment",|...
这是什么意思?
解决方案
request
你的线路肯定有问题。您的错误来自(很可能,我不确定!!,似乎)来自错误的编码数据复制粘贴数据。
你可以找到很多类似的例子,比如Kubernetes 不创建证书
复制了你的小例子,似乎一切正常。为了重现我使用了Create CertificateSigningRequest官方文档页面
小备注:官方文档中有一个v1 apiversion - 我无法CertificateSigningRequest
用它创建,所以我不得不回到apiVersion: certificates.k8s.io/v1beta1
一个。
我收到的错误apiVersion: certificates.k8s.io/v1
是
error: unable to recognize "sr.yaml": no matches for kind "CertificateSigningRequest" in version "certificates.k8s.io/v1"
所以,基本上,
$ openssl genrsa -out vit.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............................................................................................................................+++++
........+++++
e is 65537 (0x010001)
$ openssl req -new -key vit.key -out vit.csr
...
$ cat vit.csr | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lqQ0NBWElDQVFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNZmZFSitFTjZ3Wjd5emV4WjA4aUtQOWhUYWVzSjh1cWt3U1NsU1QKdXhVbDlyci85YnA2OTd3Ky9lQXRVTlF6ajlWNGQvUnhLSG0rMkVhWDllaGowN0NBZlJRRFEvV284dW1tLS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lqQ0NBWElDQVFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNZmZFSitFTjZ3Wjd5emV4WjA4aUtQOWhUYWVzSjh1cWt3U1NsU1QKdXhVbDlyci85YnA2OTd3Ky9lQXRVTlF6ajlWNGQvUnhLSG0rMkVhWDllaGowN0NBZlJRRFEvV284dW1tUzRMZAo1UEtoNmVxMmdvMWJkNDRzQmpwaFk4encwK1UyQXdZMElPbitCcm9weWdGMVlCWWFkcHYzSnBXQVpqb2g2NFBuCmY0WThFNmptd0lnYlpTcXhlcTdDaUEwSDNHZDg1L0s4em5hWlFuYWZ2Q3E2Umc4SitsS2Z0RnN3QWdpL1BjSlgKWExYekRCdSs4OERacENJT0Rjek9MejZIYmhBMk1GK2tXN0RFTlJIZ29EenJZNHdNNGxGdVNpWGlPSVE2L01GVApuSmU5b1dNbFpNMjErNFpsQUN5RElZUnhwQmZQNlBBKzhoWEJJaGk4R09OK2ZiY0NBd0VBQWFBQU1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUNlM1JyaEdoSWV4dWR5b2ljNjA0c0dGOTdNcExqV0Y0RVUwK0dOWGY5WWIzRHIKb2NsRG91OFVZQjhVTlpaTW1lc21xZUozdEVKQ3I2cE1mMWI4U09vOHhzYXdiR3NHZHlRdzJ5RWJvemdtWDR1bwphKy9aVjkyNUkwYVkwNGFGOW52QmVYSDBLbnh0RG9FdG8rOVVnVFoxLzV6ZVZOWGIrNnl0K1R6bVowOCtQbm4vCkhmUVMvdmtrVTdtNnRxNjQxbTJKUGlCK0Y4MnZyenM4NithS2gvYUk0ODJ2VXdjUzFrUnlLTEs0ZUVkOGNUUEQKWHdEVk9selhQcTVuMFh5ZUorcnlHY0dRYVpKb291TytVdUpXVnlCN0dYZnd5RENnUjhGZm8wZUtSQWZBQ1dIawplZ3h6UGN2ZEhtTTBjclM2VkU0SWNDVytycU5KUmxyQWhnY2JKM3daCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
我手动复制粘贴的密钥并使用 VI 放入 yaml...
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: vit
spec:
groups:
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lqQ0NBWElDQVFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNZmZFSitFTjZ3Wjd5emV4WjA4aUtQOWhUYWVzSjh1cWt3U1NsU1QKdXhVbDlyci85YnA2OTd3Ky9lQXRVTlF6ajlWNGQvUnhLSG0rMkVhWDllaGowN0NBZlJRRFEvV284dW1tUzRMZAo1UEtoNmVxMmdvMWJkNDRzQmpwaFk4encwK1UyQXdZMElPbitCcm9weWdGMVlCWWFkcHYzSnBXQVpqb2g2NFBuCmY0WThFNmptd0lnYlpTcXhlcTdDaUEwSDNHZDg1L0s4em5hWlFuYWZ2Q3E2Umc4SitsS2Z0RnN3QWdpL1BjSlgKWExYekRCdSs4OERacENJT0Rjek9MejZIYmhBMk1GK2tXN0RFTlJIZ29EenJZNHdNNGxGdVNpWGlPSVE2L01GVApuSmU5b1dNbFpNMjErNFpsQUN5RElZUnhwQmZQNlBBKzhoWEJJaGk4R09OK2ZiY0NBd0VBQWFBQU1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUNlM1JyaEdoSWV4dWR5b2ljNjA0c0dGOTdNcExqV0Y0RVUwK0dOWGY5WWIzRHIKb2NsRG91OFVZQjhVTlpaTW1lc21xZUozdEVKQ3I2cE1mMWI4U09vOHhzYXdiR3NHZHlRdzJ5RWJvemdtWDR1bwphKy9aVjkyNUkwYVkwNGFGOW52QmVYSDBLbnh0RG9FdG8rOVVnVFoxLzV6ZVZOWGIrNnl0K1R6bVowOCtQbm4vCkhmUVMvdmtrVTdtNnRxNjQxbTJKUGlCK0Y4MnZyenM4NithS2gvYUk0ODJ2VXdjUzFrUnlLTEs0ZUVkOGNUUEQKWHdEVk9selhQcTVuMFh5ZUorcnlHY0dRYVpKb291TytVdUpXVnlCN0dYZnd5RENnUjhGZm8wZUtSQWZBQ1dIawplZ3h6UGN2ZEhtTTBjclM2VkU0SWNDVytycU5KUmxyQWhnY2JKM3daCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
usages:
- client auth
结果是:
$ kubectl apply -f sr.yaml
certificatesigningrequest.certificates.k8s.io/vit created
request 是 CSR 文件内容的 base64 编码值。您可以使用以下命令获取内容:cat john.csr | base64 | tr -d "\n"
您也可以使用request: $(cat server.csr | base64 | tr -d '\n')
而不是复制粘贴纯文本..请阅读下面的信息..它很重要
类似的问题也一直困扰着我。经过一些故障排除后,观察到 base64 和 tr 解决方案在 MacOS 环境中无法正常工作。使用来自 GNU 的 gbase64 实用程序有一个不会换行的“-w”选项。一旦我安装了 gnu coreutils 并使用了 gbase64,脚本就会按预期工作。该问题与使用原始组合的“tr”和换行有关。希望它可以帮助未来遇到类似环境相关问题的用户。
推荐阅读
- c++ - 如何让 WaitForSingleObject 在作为类成员函数从 main 调用的线程内接收信号?
- python-2.7 - 如何在python中截取屏幕截图?
- callback - 如何在 Dash/Plotly 的聚集条形图中通过回调保持选定数据的持久性
- reactjs - 动态更改变量名的一部分?
- amazon-web-services - AWS 中是否可以订阅 EC2 创建/启动/停止/终止的事件?
- ios - iOS 照片库 - 如何获取真实的文件名?
- ios - 创建线程安全单例的正确方法是什么?
- azure - 在 IIS web.config 中使用动态 IP 安全设置时忽略某些 IP 或 IP 范围
- excel - 如何跨列的动态范围复制单元格
- javascript - Chart.js yAxis 隐藏数据