Kubernetes Control Plane Charm

CA cert in kubectl config file invalid

Bug #1828034 reported by Merlijn Sebrechts on 2019-05-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Kubernetes Control Plane Charm	Fix Released	Medium	Mike Wilson	Kubernetes Control Plane Charm 1.15

Bug Description

The base64 encoded CA cert in the kubectl config file doesn't contain a newline after the certificate end tag. This isn't a problem for `kubectl` itself, but it is a problem for the golang k8s client library. When you run a controller using this config file, you get an error message saying that CA is unknown:

Controller example repo: https://github.com/trstringer/k8s-controller-core-resource

```console
$ go build && ./k8s-controller-core-resource
INFO[0000] Successfully constructed k8s client
INFO[0000] Controller.Run: initiating
ERROR: logging before flag.Parse: E0507 14:07:01.479764 30683 reflector.go:205] k8s-controller-core-resource/controller.go:37: Failed to list *v1.Service: Get https://10.10.138.101:443/api/v1/namespaces/k8s-tengu-test/services?limit=500&resourceVersion=0: x509: certificate signed by unknown authority
```

```console
merlijn@howard:~/Desktop$ cat config | grep -oP 'certificate-authority-data: \K.*' | base64 --decode
-----BEGIN CERTIFICATE-----
MIIDODCCAiCgAwIBAgIJAPhq3GVu+mc5MA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMMDDEwLjEwLjEzOS41OTAeFw0xOTA0MjMxMzQ1MDhaFw0yOTA0MjAxMzQ1MDha
MBcxFTATBgNVBAMMDDEwLjEwLjEzOS41OTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMYc5dCt9BRq2Boil7gR4fpJbLJxOw5+ZF7UnTljDJJMNVyebpHV
Lm31FSO3NM+h8x01vuTMUlHLFWNmEa1penvUNPYWmq3wz87056FO6AiflMO/z88R
T02f14/N4Dl5+IAom17zb7SenvMJBX2sO1C9gxGnVv5HAqo7xTH7t1oibqfsgj6z
XGRZcOaGHpFEPrYhjKh/I6lRPMFctMKz6ROB58Ux60eMQVDdeugu7y3MZql7ZNQa
zLfrG1pdORasCUJTLT3eXHSdV3gdMppXWvJgQrRgSfqqtlF+8lIau1x8sk4KQQkY
mx6LssSDnbsEr0wNTLM7LIYR10FWPYhf2gUCAwEAAaOBhjCBgzAdBgNVHQ4EFgQU
dumpSQssby3YQgpwY31D1xuJrEAwRwYDVR0jBEAwPoAUdumpSQssby3YQgpwY31D
1xuJrEChG6QZMBcxFTATBgNVBAMMDDEwLjEwLjEzOS41OYIJAPhq3GVu+mc5MAwG
A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCA7iu3
rr7k+JecLvHvIjidcxUsqEDCiF/Gd2P4H4Sy0q/HR5xgtoc5/Th2YOG2nnk4iNFe
ouYpVsIOjvdUiuazB3sG7gprWVJ4c+BZ1zGY9vhiYnFDQQvBglTPAzQ7UtgtKFVV
2ZWBEPKOfyE66eCog6YpatlubXjZjjPo+Te8oFf7FjfzOa/l5/dU/B7U2bevfbZV
/kn0uKrFFBWTn11bDC4ByXNnaY6a8vJwWeGouNyIzOxbWw4do3jawUdeoNTYjs1n
wOzoip3oCDsRMgsoKF+XLQESdunP0W+Mr+jxJF+IdWrAlaQzNGauABW60G9uNh+t
4SUk8EV0D8EX/NbG
-----END CERTIFICATE-----merlijn@howard:~/Desktop$
```

Changing the base64-encoded certificate to include a newline fixes the issue.

```console
$ cat ~/.kube/config | grep -oP 'certificate-authority-data: \K.*' | base64 --decode
-----BEGIN CERTIFICATE-----
MIIDODCCAiCgAwIBAgIJAPhq3GVu+mc5MA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMMDDEwLjEwLjEzOS41OTAeFw0xOTA0MjMxMzQ1MDhaFw0yOTA0MjAxMzQ1MDha
MBcxFTATBgNVBAMMDDEwLjEwLjEzOS41OTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMYc5dCt9BRq2Boil7gR4fpJbLJxOw5+ZF7UnTljDJJMNVyebpHV
Lm31FSO3NM+h8x01vuTMUlHLFWNmEa1penvUNPYWmq3wz87056FO6AiflMO/z88R
T02f14/N4Dl5+IAom17zb7SenvMJBX2sO1C9gxGnVv5HAqo7xTH7t1oibqfsgj6z
XGRZcOaGHpFEPrYhjKh/I6lRPMFctMKz6ROB58Ux60eMQVDdeugu7y3MZql7ZNQa
zLfrG1pdORasCUJTLT3eXHSdV3gdMppXWvJgQrRgSfqqtlF+8lIau1x8sk4KQQkY
mx6LssSDnbsEr0wNTLM7LIYR10FWPYhf2gUCAwEAAaOBhjCBgzAdBgNVHQ4EFgQU
dumpSQssby3YQgpwY31D1xuJrEAwRwYDVR0jBEAwPoAUdumpSQssby3YQgpwY31D
1xuJrEChG6QZMBcxFTATBgNVBAMMDDEwLjEwLjEzOS41OYIJAPhq3GVu+mc5MAwG
A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCA7iu3
rr7k+JecLvHvIjidcxUsqEDCiF/Gd2P4H4Sy0q/HR5xgtoc5/Th2YOG2nnk4iNFe
ouYpVsIOjvdUiuazB3sG7gprWVJ4c+BZ1zGY9vhiYnFDQQvBglTPAzQ7UtgtKFVV
2ZWBEPKOfyE66eCog6YpatlubXjZjjPo+Te8oFf7FjfzOa/l5/dU/B7U2bevfbZV
/kn0uKrFFBWTn11bDC4ByXNnaY6a8vJwWeGouNyIzOxbWw4do3jawUdeoNTYjs1n
wOzoip3oCDsRMgsoKF+XLQESdunP0W+Mr+jxJF+IdWrAlaQzNGauABW60G9uNh+t
4SUk8EV0D8EX/NbG
-----END CERTIFICATE-----
merlijn@howard$
```

```console
$ go build && ./k8s-controller-core-resource
INFO[0000] Successfully constructed k8s client
INFO[0000] Controller.Run: initiating
INFO[0000] Add service: k8s-tengu-test/sse-endpoint
INFO[0000] Controller.Run: cache sync complete
INFO[0000] Controller.runWorker: starting
INFO[0000] Controller.processNextItem: start
INFO[0000] Controller.processNextItem: object created detected: k8s-tengu-test/sse-endpoint
INFO[0000] TestHandler.ObjectCreated
INFO[0000] ResourceVersion: 2518213
INFO[0000] ExternalName: idlab-iot.tengu.io
INFO[0000] Phase: []
INFO[0000] Controller.runWorker: processing next item
INFO[0000] Controller.processNextItem: start
```

See original description

Merlijn Sebrechts (merlijn-sebrechts) on 2019-05-07

description:	updated
affects:	charm-aws-integrator → charm-kubernetes-master
description:	updated

Tim Van Steenburgh (tvansteenburgh) on 2019-05-07

Changed in charm-kubernetes-master:
status:	New → Triaged
importance:	Undecided → Medium

Tim Van Steenburgh (tvansteenburgh) on 2019-05-07

Changed in charm-kubernetes-master:
assignee:	nobody → Mike Wilson (knobby)

Mike Wilson (knobby) on 2019-05-14

Changed in charm-kubernetes-master:
status:	Triaged → In Progress

Revision history for this message

Mike Wilson (knobby) wrote on 2019-05-14:

https://github.com/juju-solutions/layer-tls-client/pull/17

Mike Wilson (knobby) on 2019-05-16

Changed in charm-kubernetes-master:
status:	In Progress → Fix Committed

Tim Van Steenburgh (tvansteenburgh) on 2019-06-24

Changed in charm-kubernetes-master:
milestone:	none → 1.15

Tim Van Steenburgh (tvansteenburgh) on 2019-06-28

Changed in charm-kubernetes-master:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.