我正在尝试部署一个允许控制器/变异webhook
图片:https://hub.docker.com/layers/247126140/aagashe/label-webhook/1.2.0/images/sha256-acfe141ca782eb8699a3656a77df49a558a1b09989762dbf263a66732fd00910?context=repo
步骤按以下顺序执行。
- 已创建ca-csr。Json和ca-config。Json格式如下ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"default": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "175200h"
}
}
}
}
ca-csr.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"default": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "175200h"
}
}
}
}
创建一个docker容器,并依次运行如下命令:
docker run -it --rm -v ${PWD}:/work -w /work debian bash
apt-get update && apt-get install -y curl &&
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 -o /usr/local/bin/cfssl &&
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 -o /usr/local/bin/cfssljson &&
chmod +x /usr/local/bin/cfssl &&
chmod +x /usr/local/bin/cfssljson
cfssl gencert -initca ca-csr.json | cfssljson -bare /tmp/ca
cfssl gencert
-ca=/tmp/ca.pem
-ca-key=/tmp/ca-key.pem
-config=ca-config.json
-hostname="label-webhook,label-webhook.default.svc.cluster.local,label-webhook.default.svc,localhost,127.0.0.1"
-profile=default
ca-csr.json | cfssljson -bare /tmp/label-webhook
ca_pem_b64="$(openssl base64 -A <"/tmp/ca.pem")"
ls -alrth /tmp/
total 32K
drwxr-xr-x 1 root root 4.0K Jul 5 05:07 ..
-rw-r--r-- 1 root root 2.0K Jul 5 05:13 ca.pem
-rw-r--r-- 1 root root 1.8K Jul 5 05:13 ca.csr
-rw------- 1 root root 3.2K Jul 5 05:13 ca-key.pem
-rw-r--r-- 1 root root 2.2K Jul 5 05:17 label-webhook.pem
-rw-r--r-- 1 root root 1.9K Jul 5 05:17 label-webhook.csr
-rw------- 1 root root 3.2K Jul 5 05:17 label-webhook-key.pem
drwxrwxrwt 1 root root 4.0K Jul 5 05:17 .
cp -apvf /tmp/* .
'/tmp/ca-key.pem' -> './ca-key.pem'
'/tmp/ca.csr' -> './ca.csr'
'/tmp/ca.pem' -> './ca.pem'
'/tmp/label-webhook-key.pem' -> './label-webhook-key.pem'
'/tmp/label-webhook.csr' -> './label-webhook.csr'
'/tmp/label-webhook.pem' -> './label-webhook.pem'
pwd
/work
export ca_pem_b64="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZqakNDQTNhZ0F3SUJBZ0lVVVVCSHcvTUlPak5IVjE1ZHBhMytFb0RtTlE4d0RRWUpLb1pJaHZjTkFRRU4KQlFBd1h6RUxNQWtHQTFVRUJoTUNRVlV4RlRBVEJnTlZCQWdUREdOaFlYTXRaR1YyTFdOaFl6RVNNQkFHQTFVRQpCeE1KVFdWc1ltOTFjbTVsTVF3d0NnWURWUVFLRXdOUVYwTXhGekFWQmdOVkJBc1REa05OVXlCWGIzSnJjM1J5ClpXRnRNQjRYRFRJeU1EY3dOVEExTURnd01Gb1hEVEkzTURjd05EQTFNRGd3TUZvd1h6RUxNQWtHQTFVRUJoTUMKUVZVeEZUQVRCZ05WQkFnVERHTmhZWE10WkdWMkxXTmhZekVTTUJBR0ExVUVCeE1KVFdWc1ltOTFjbTVsTVF3dwpDZ1lEVlFRS0V3TlFWME14RnpBVkJnTlZCQXNURGtOTlV5QlhiM0pyYzNSeVpXRnRNSUlDSWpBTkJna3Foa2lHCjl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUF1Vmxyd3lLSE5QMVllZUY5MktZMG02YXc0VUhBMEtac0JyNUkKeEZaWnVtM3ZzSHV3eXFBa3BjZHpibWhqSmVGcTZXYXJXUUNSTGxoU1ZRaVcxUnJkOXpxMWVndVZRYjJmN0w1cApkbGFteGZ4UGhSc3RodTZscXVCOC9XbWo3RVVEVnBMMkx3bHJNUm1tOWhrYWxSSUN6cXRLa1Y2MDFJMG9KMEd6ClN4SUFPSnRBS3VxamtuTWtnOTNTVit0WEdVamxLOTFzbGZ3V2Z5UUtjVVZWU1dxUVZiUEdxcjFIblZzeU5TcGYKTERFZGRFRVBNSUZLM3U2eWg3M3R3ME1SR3RyQ0RWSEdyR2xtd0xrZDZENjhzdHJCWWhEdnVVU2NRMG5Wb2VxaQowbVRESENCQ0x3UVptd2piR1UyYzhrMklVMGRkaGUvM2dYb2ErZkxSL3c4RHFPUldFKzVPREFxNFp1aklRQ01WCkdWSVJzdERwRmZscFdvQ0t1RnFDMUk2bFJPcFVJYi9ER0xyV29oeWdRYmxmcFlZd0JkbWtqVWhXaHpOL0N4MTcKeDR2WFM3a0NjVDJDVDZqR0NoUVlZTGRPL2lsTCtFMEhJWE9oRUVWbVZhaTcrUW5qRXVmeTEyUGlHQUEyWnc2dwp6NmpYVjJab1NXQUgxZ0xGSTYxTGRNQTE1Y084RTJERkFHMXdOUmM0TndJYUNmejNQMDRBUzFwbk5yRW5xNE1XCkVqM2ZUSGU4MWlRTTBuMnZ6VlltUDVBcEFwa2JNeUQrRU9ENWxnWXlFa1dTNVpON2RlVWZ5QURZSVQvMFR0USsKQTFzbk94K1RnT0lnTGxnY0xrMWllVnhHNHBLOTJqTWpWMjBGb0RDUmM1SHZCWHZrMWYvSWN2VDhDOENDRXJISwpJWkptdGFrQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3CkhRWURWUjBPQkJZRUZQMjJrRm4rZWlOcFJHMkU0VkhoVGlRdFo0TmlNQTBHQ1NxR1NJYjNEUUVCRFFVQUE0SUMKQVFBTlRHSEhCODFwaWxwVnBsamZvVjY3ZTlhWTJFaUNudkRRSmdTWTBnZ0JOY3ZzblVMaFRpKytWZ25qZ0Q5YwpCOGMvQkU1QU0vWGdWVHE3UXpiUS92REhLbE4xbjRMbXdzWWxJc1RTWGhDZCtCTFlLeGEyTlJsVXZHR3h2OWZFCnZTVVpvcDk4MEtiMExlQU5lZ0FuOHlldnRTZ2hRdC9GNkcrVENOWk5GS25ZZFFKenp2ejFXNk1VOURPL0J4cGMKVWovTTZSMFhaeHdJOE5hR281MGRQUzZTVFNTcUdCQ3VIbUEyRDRrUCtWdHZIdVZoS2Izd3pXMVVPL1dCcTBGLwpKU3o2and4c05OUU8vOVN4SXNNOVRMWFY5UjkvNThSTEl1Y3ZObDFUODd2dzd5ZGp0S0c3YUR3N1lxSXplODN0ClF1WW1NQlY3Y0k2STdSRi9RVHhLVUdGbXJ6K3lDTHZzNjViVjJPdThxUm5ocUhTV3kwbkNjakYwR2h6L09hblIKdDFNWWNKTytpQzJBR09adVlGRnJsbUk0cWlCUHBJc204YmxDVGRoT1FhLzI2RTJWQzJXQk9SQmVrU2VWY3ZzUgpQaXFWMkRzV2I3ODc5UzEwWS9lOVQ2WUhIc3Z4TDVjZnhibVBsRDF2dlR0TmI2TjJiYTYyWmZVVlEvU3E3ZmEwClhKbUtpQ2pLbU9oMVhKRm5ZRmpRb25kMUFSNUVzR0drblI5NW5QN0x5ejd5RmpHMjFndkJHSU0xbHV0alg5aW8KVkdpMjlHdFA4THVQait6TDNsMElUTEZqb0RCOVBiNXFFbjR4MGpqMHlHc09kdFQ0ZGYvSGVja2ZHV0xmNkZEawp5ZmNuMTlRWDB0NXl6YklZVG9qRFV3VXlEUFZDYW44Y0JkdWdCNGptZkNjV2pRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
helm upgrade --install rel-label-webhook chart --namespace mutatingwebhook --create-namespace --set secret.cert=$(cat kubernetes/admissioncontrollers/introduction/tls/label-webhook.csr | base64 -w0) --set secret.key=$(cat kubernetes/admissioncontrollers/introduction/tls/label-webhook.pem | base64 -w0) --set secret.cabundle=$(echo "${ca_pem_b64}"|base64 -w0)
当我检查pod日志状态时,我得到如下错误:
k get all
NAME READY STATUS RESTARTS AGE
pod/rel-label-webhook-5575b849dc-d62np 0/1 CrashLoopBackOff 2 (20s ago) 48s
pod/rel-label-webhook-5575b849dc-gg94h 0/1 Error 3 (35s ago) 63s
pod/rel-label-webhook-5575b849dc-zcvc9 0/1 CrashLoopBackOff 2 (19s ago) 48s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/rel-label-webhook ClusterIP 10.0.135.138 <none> 8001/TCP 63s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/rel-label-webhook 0/3 3 0 64s
NAME DESIRED CURRENT READY AGE
replicaset.apps/rel-label-webhook-5575b849dc 3 3 0 64s
NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE
horizontalpodautoscaler.autoscaling/rel-label-webhook Deployment/rel-label-webhook <unknown>/80%, <unknown>/80% 3 8 3 64s
k logs -f pod/rel-label-webhook-5575b849dc-gg94h
time="2022-07-05T13:37:45Z" level=info msg="listening on :8001"
error: error serving webhook: tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [CERTIFICATE REQUEST]
我在这里做错了什么?
p。S:
编辑1。
按larsks尝试,但现在得到一个新的错误!
命令
azureuser@ubuntuvm:~/container-label-webhook$ helm upgrade --install rel-label-webhook chart --namespace mutatingwebhook --create-namespace --set secret.cert=$(cat kubernetes/admissioncontrollers/introduction/tls/label-webhook.pem | base64 -w0) --set secret.key=$(cat kubernetes/admissioncontrollers/introduction/tls/label-webhook.pem | base64 -w0) --set secret.cabundle="echo "${ca_pem_b64}"|base64 -w0"
错误:
azureuser@ubuntuvm:~/container-label-webhook$ k logs -f pod/rel-label-webhook-5575b849dc-44xrn
time="2022-07-06T02:41:12Z" level=info msg="listening on :8001"
error: error serving webhook: tls: found a certificate rather than a key in the PEM for the private key
错误似乎很清楚:代码正在寻找pem编码文件中的CERTIFICATE
块,但它只找到CERTIFICATE REQUEST
块。看起来您正在传递一个证书签名请求(csr),其中代码期望找到一个实际的SSL证书。事实上,看看你的helm upgrade
命令,这正是你所做的:
helm upgrade ...
--set secret.cert=$(cat kubernetes/admissioncontrollers/introduction/tls/label-webhook.csr | base64 -w0) ...
您应该在这里使用label-webhook.pem
而不是label-webhook.csr
。