docs: update kube tutorial cert install procedure #4907
Conversation
|
@anderseknert Added some extra Markdown formatting to your PR header comment. I'll give the updated instructions a whirl. I know next-to-nothing about k8s, but I can definitely tell you if I get the same error message. 😄 |
There was a problem hiding this comment.
@anderseknert I was able to run through the entire k8s tutorial, end-to-end. I think your fixes did the trick. 👍
|
Thanks @philipaconrad! Knowing nothing is pretty much a super power for a tester :D I believe at least the first error is caused by Mac OS shipping an older version of openssl, which defaults to SHA1 hashing, and that the first fix might not be needed on other platforms. Being explicit certainly doesn't hurt though. The other fix, I have no idea 😬 |
Two unrelated issues would break the Kubernetes tutorial in recent kube versions. The first one being the SHA1 hash used by default in at least older versions of OpenSSL, which is no longer accepted by Kubernetes. Easy fix. The next one is definitely a head scratcher - for whatever reason, the subjectAltName previously provided in the config didn't seem to be picked up in certificate signing requests. Older versions of Kubernetes - or Go, really - would accept the common name (CN), but more recent ones require the use of subjectAltName, so it's possible this never "worked" as intended but was ignored as the CN was used instead. The docs on the topic however all suggest that the previous config _should_ have worked, and after having spent a long time trying to figure out why it didn't, I've found nothing to provide any insights here. Best I have is "works on my machine", so if anyone else would want to try this out to make sureit works on theirs too, that'd be great. * Use explicit hashing algorithm * Specify -extensions as this does not seem to be picked up when provided in config only. Fixes open-policy-agent#4902 Signed-off-by: Anders Eknert <[email protected]>
anderseknert
force-pushed
the
fix-kube-tutorial-cert-conf
branch
from
55a29f8
to
0cc8693
Compare
|
Fantastic, @philipaconrad! @Impakt, could you please try it out before we have it merged? |
|
Fix confirmed working by both @philipaconrad and @Impakt (on Slack). Merging. |
Two unrelated issues would break the Kubernetes tutorial in recent kube versions. The first one being the SHA1 hash used by default in at least older versions of OpenSSL, which is no longer accepted by Kubernetes. Easy fix.
The next one is definitely a head scratcher - for whatever reason, the
subjectAltNamepreviously provided in the config didn't seem to be picked up in certificate signing requests. Older versions of Kubernetes - or Go, really - would accept the common name (CN), but more recent ones require the use ofsubjectAltName, so it's possible this never "worked" as intended but was ignored as the CN was used instead.The docs on the topic however all suggest that the previous config should have worked, and after having spent a long time trying to figure out why it didn't, I've found nothing to provide any insights here. Best I have is "works on my machine", so if anyone else would want to try this out to make sure it works on theirs too, that'd be great.
-extensionsas this does not seem to be picked up when provided in config only.Fixes #4902
Signed-off-by: Anders Eknert [email protected]