小贝子编程

Webhook: TLS:跳过以下类型的 PEM 块后"CERTIFICATE"无法在证书输入中找到 PEM 块:[证书请求]



我正在尝试部署一个允许控制器/变异webhook

图片:https://hub.docker.com/layers/247126140/aagashe/label-webhook/1.2.0/images/sha256-acfe141ca782eb8699a3656a77df49a558a1b09989762dbf263a66732fd00910?context=repo

步骤按以下顺序执行。

  1. 已创建ca-csr。Json和ca-config。Json格式如下ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"default": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "175200h"
}
}
}
}

ca-csr.json

{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"default": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "175200h"
}
}
}
}

创建一个docker容器,并依次运行如下命令:

docker run -it --rm -v ${PWD}:/work -w /work debian bash
apt-get update && apt-get install -y curl &&
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 -o /usr/local/bin/cfssl && 
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 -o /usr/local/bin/cfssljson && 
chmod +x /usr/local/bin/cfssl && 
chmod +x /usr/local/bin/cfssljson
cfssl gencert -initca ca-csr.json | cfssljson -bare /tmp/ca
cfssl gencert 
-ca=/tmp/ca.pem 
-ca-key=/tmp/ca-key.pem 
-config=ca-config.json 
-hostname="label-webhook,label-webhook.default.svc.cluster.local,label-webhook.default.svc,localhost,127.0.0.1" 
-profile=default 
ca-csr.json | cfssljson -bare /tmp/label-webhook

ca_pem_b64="$(openssl base64 -A <"/tmp/ca.pem")"
ls -alrth /tmp/
total 32K
drwxr-xr-x 1 root root 4.0K Jul  5 05:07 ..
-rw-r--r-- 1 root root 2.0K Jul  5 05:13 ca.pem
-rw-r--r-- 1 root root 1.8K Jul  5 05:13 ca.csr
-rw------- 1 root root 3.2K Jul  5 05:13 ca-key.pem
-rw-r--r-- 1 root root 2.2K Jul  5 05:17 label-webhook.pem
-rw-r--r-- 1 root root 1.9K Jul  5 05:17 label-webhook.csr
-rw------- 1 root root 3.2K Jul  5 05:17 label-webhook-key.pem
drwxrwxrwt 1 root root 4.0K Jul  5 05:17 .
cp -apvf /tmp/* .
'/tmp/ca-key.pem' -> './ca-key.pem'
'/tmp/ca.csr' -> './ca.csr'
'/tmp/ca.pem' -> './ca.pem'
'/tmp/label-webhook-key.pem' -> './label-webhook-key.pem'
'/tmp/label-webhook.csr' -> './label-webhook.csr'
'/tmp/label-webhook.pem' -> './label-webhook.pem'
pwd
/work
export ca_pem_b64="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZqakNDQTNhZ0F3SUJBZ0lVVVVCSHcvTUlPak5IVjE1ZHBhMytFb0RtTlE4d0RRWUpLb1pJaHZjTkFRRU4KQlFBd1h6RUxNQWtHQTFVRUJoTUNRVlV4RlRBVEJnTlZCQWdUREdOaFlYTXRaR1YyTFdOaFl6RVNNQkFHQTFVRQpCeE1KVFdWc1ltOTFjbTVsTVF3d0NnWURWUVFLRXdOUVYwTXhGekFWQmdOVkJBc1REa05OVXlCWGIzSnJjM1J5ClpXRnRNQjRYRFRJeU1EY3dOVEExTURnd01Gb1hEVEkzTURjd05EQTFNRGd3TUZvd1h6RUxNQWtHQTFVRUJoTUMKUVZVeEZUQVRCZ05WQkFnVERHTmhZWE10WkdWMkxXTmhZekVTTUJBR0ExVUVCeE1KVFdWc1ltOTFjbTVsTVF3dwpDZ1lEVlFRS0V3TlFWME14RnpBVkJnTlZCQXNURGtOTlV5QlhiM0pyYzNSeVpXRnRNSUlDSWpBTkJna3Foa2lHCjl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUF1Vmxyd3lLSE5QMVllZUY5MktZMG02YXc0VUhBMEtac0JyNUkKeEZaWnVtM3ZzSHV3eXFBa3BjZHpibWhqSmVGcTZXYXJXUUNSTGxoU1ZRaVcxUnJkOXpxMWVndVZRYjJmN0w1cApkbGFteGZ4UGhSc3RodTZscXVCOC9XbWo3RVVEVnBMMkx3bHJNUm1tOWhrYWxSSUN6cXRLa1Y2MDFJMG9KMEd6ClN4SUFPSnRBS3VxamtuTWtnOTNTVit0WEdVamxLOTFzbGZ3V2Z5UUtjVVZWU1dxUVZiUEdxcjFIblZzeU5TcGYKTERFZGRFRVBNSUZLM3U2eWg3M3R3ME1SR3RyQ0RWSEdyR2xtd0xrZDZENjhzdHJCWWhEdnVVU2NRMG5Wb2VxaQowbVRESENCQ0x3UVptd2piR1UyYzhrMklVMGRkaGUvM2dYb2ErZkxSL3c4RHFPUldFKzVPREFxNFp1aklRQ01WCkdWSVJzdERwRmZscFdvQ0t1RnFDMUk2bFJPcFVJYi9ER0xyV29oeWdRYmxmcFlZd0JkbWtqVWhXaHpOL0N4MTcKeDR2WFM3a0NjVDJDVDZqR0NoUVlZTGRPL2lsTCtFMEhJWE9oRUVWbVZhaTcrUW5qRXVmeTEyUGlHQUEyWnc2dwp6NmpYVjJab1NXQUgxZ0xGSTYxTGRNQTE1Y084RTJERkFHMXdOUmM0TndJYUNmejNQMDRBUzFwbk5yRW5xNE1XCkVqM2ZUSGU4MWlRTTBuMnZ6VlltUDVBcEFwa2JNeUQrRU9ENWxnWXlFa1dTNVpON2RlVWZ5QURZSVQvMFR0USsKQTFzbk94K1RnT0lnTGxnY0xrMWllVnhHNHBLOTJqTWpWMjBGb0RDUmM1SHZCWHZrMWYvSWN2VDhDOENDRXJISwpJWkptdGFrQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3CkhRWURWUjBPQkJZRUZQMjJrRm4rZWlOcFJHMkU0VkhoVGlRdFo0TmlNQTBHQ1NxR1NJYjNEUUVCRFFVQUE0SUMKQVFBTlRHSEhCODFwaWxwVnBsamZvVjY3ZTlhWTJFaUNudkRRSmdTWTBnZ0JOY3ZzblVMaFRpKytWZ25qZ0Q5YwpCOGMvQkU1QU0vWGdWVHE3UXpiUS92REhLbE4xbjRMbXdzWWxJc1RTWGhDZCtCTFlLeGEyTlJsVXZHR3h2OWZFCnZTVVpvcDk4MEtiMExlQU5lZ0FuOHlldnRTZ2hRdC9GNkcrVENOWk5GS25ZZFFKenp2ejFXNk1VOURPL0J4cGMKVWovTTZSMFhaeHdJOE5hR281MGRQUzZTVFNTcUdCQ3VIbUEyRDRrUCtWdHZIdVZoS2Izd3pXMVVPL1dCcTBGLwpKU3o2and4c05OUU8vOVN4SXNNOVRMWFY5UjkvNThSTEl1Y3ZObDFUODd2dzd5ZGp0S0c3YUR3N1lxSXplODN0ClF1WW1NQlY3Y0k2STdSRi9RVHhLVUdGbXJ6K3lDTHZzNjViVjJPdThxUm5ocUhTV3kwbkNjakYwR2h6L09hblIKdDFNWWNKTytpQzJBR09adVlGRnJsbUk0cWlCUHBJc204YmxDVGRoT1FhLzI2RTJWQzJXQk9SQmVrU2VWY3ZzUgpQaXFWMkRzV2I3ODc5UzEwWS9lOVQ2WUhIc3Z4TDVjZnhibVBsRDF2dlR0TmI2TjJiYTYyWmZVVlEvU3E3ZmEwClhKbUtpQ2pLbU9oMVhKRm5ZRmpRb25kMUFSNUVzR0drblI5NW5QN0x5ejd5RmpHMjFndkJHSU0xbHV0alg5aW8KVkdpMjlHdFA4THVQait6TDNsMElUTEZqb0RCOVBiNXFFbjR4MGpqMHlHc09kdFQ0ZGYvSGVja2ZHV0xmNkZEawp5ZmNuMTlRWDB0NXl6YklZVG9qRFV3VXlEUFZDYW44Y0JkdWdCNGptZkNjV2pRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
helm upgrade --install rel-label-webhook chart --namespace mutatingwebhook --create-namespace --set secret.cert=$(cat kubernetes/admissioncontrollers/introduction/tls/label-webhook.csr | base64 -w0) --set secret.key=$(cat kubernetes/admissioncontrollers/introduction/tls/label-webhook.pem | base64 -w0) --set secret.cabundle=$(echo "${ca_pem_b64}"|base64 -w0)

当我检查pod日志状态时,我得到如下错误:

k get all
NAME                                     READY   STATUS             RESTARTS      AGE
pod/rel-label-webhook-5575b849dc-d62np   0/1     CrashLoopBackOff   2 (20s ago)   48s
pod/rel-label-webhook-5575b849dc-gg94h   0/1     Error              3 (35s ago)   63s
pod/rel-label-webhook-5575b849dc-zcvc9   0/1     CrashLoopBackOff   2 (19s ago)   48s
NAME                        TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
service/rel-label-webhook   ClusterIP   10.0.135.138   <none>        8001/TCP   63s
NAME                                READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/rel-label-webhook   0/3     3            0           64s
NAME                                           DESIRED   CURRENT   READY   AGE
replicaset.apps/rel-label-webhook-5575b849dc   3         3         0       64s
NAME                                                    REFERENCE                      TARGETS                        MINPODS   MAXPODS   REPLICAS   AGE
horizontalpodautoscaler.autoscaling/rel-label-webhook   Deployment/rel-label-webhook   <unknown>/80%, <unknown>/80%   3         8         3          64s
k logs -f pod/rel-label-webhook-5575b849dc-gg94h
time="2022-07-05T13:37:45Z" level=info msg="listening on :8001"
error: error serving webhook: tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [CERTIFICATE REQUEST]

我在这里做错了什么?

p。S:

编辑1。

按larsks尝试,但现在得到一个新的错误!

命令

azureuser@ubuntuvm:~/container-label-webhook$ helm upgrade --install rel-label-webhook chart --namespace mutatingwebhook --create-namespace --set secret.cert=$(cat kubernetes/admissioncontrollers/introduction/tls/label-webhook.pem | base64 -w0) --set secret.key=$(cat kubernetes/admissioncontrollers/introduction/tls/label-webhook.pem | base64 -w0) --set secret.cabundle="echo "${ca_pem_b64}"|base64 -w0"

错误:

azureuser@ubuntuvm:~/container-label-webhook$ k logs -f pod/rel-label-webhook-5575b849dc-44xrn
time="2022-07-06T02:41:12Z" level=info msg="listening on :8001"
error: error serving webhook: tls: found a certificate rather than a key in the PEM for the private key

错误似乎很清楚:代码正在寻找pem编码文件中的CERTIFICATE块,但它只找到CERTIFICATE REQUEST块。看起来您正在传递一个证书签名请求(csr),其中代码期望找到一个实际的SSL证书。事实上,看看你的helm upgrade命令,这正是你所做的:

helm upgrade ... 
--set secret.cert=$(cat kubernetes/admissioncontrollers/introduction/tls/label-webhook.csr | base64 -w0) ...

您应该在这里使用label-webhook.pem而不是label-webhook.csr

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium