Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create client certificates per server with SAN values #382

Conversation

AblionGE
Copy link

Description

Currently, the client certificate that is created by the kubetool is shared between all controller nodes without any SAN (Subject Alternative Name). Checking etcd logs when the "master" etcd controller goes down show the following error:

rejected connection from "10.10.10.104:43816" (error "remote error: tls: bad certificate", ServerName "")

Because of that error, it's not possible anymore to call Kubernetes cluster using kubectl until the etcd node is back.

The fix implemented simply creates one client certificate per K8S controller node with SAN fields with correct values (DNS name and IP). After a few etcd failover tests, the etcd cluster continues to work and kubectl is working, too.

Environment

  • Kubernetes version: 1.15.0
  • etcd version: 3.4.3
  • CentOS Linux release 7.6.1810 (Core)

@AblionGE AblionGE requested a review from a team as a code owner January 21, 2020 10:51
@AblionGE AblionGE force-pushed the feature/create-client-cert-per-server branch from 16137cb to 07c8813 Compare January 21, 2020 14:50
@codecov-io
Copy link

codecov-io commented Jan 21, 2020

Codecov Report

Merging #382 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@          Coverage Diff          @@
##           master   #382   +/-   ##
=====================================
  Coverage       0%     0%           
=====================================
  Files           2      2           
  Lines          44     44           
=====================================
  Misses         44     44

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e554f39...36b65ab. Read the comment docs.

@AblionGE AblionGE force-pushed the feature/create-client-cert-per-server branch from 07c8813 to 36b65ab Compare January 21, 2020 15:00
@sanfrancrisko
Copy link
Contributor

Validated this change works with kubetool:

ruby kube_tool.rb -o ubuntu -v 1.17.0 -r docker -c cilium -p 1.7.0 -i kube-master:172.17.10.101,kube-replica-master-01:172.17.10.210,kube-replica-master-02:172.17.10.220 -t 127.0.20.20 -a 127.0.10.10 -d true

@sanfrancrisko sanfrancrisko merged commit 60a46ad into puppetlabs:master Jan 28, 2020
@AblionGE AblionGE deleted the feature/create-client-cert-per-server branch January 28, 2020 17:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants