Kubernetes Control Plane Charm

Bug #1828034
Comment #0

Comment 0 for bug 1828034

Revision history for this message

Merlijn Sebrechts (merlijn-sebrechts) wrote on 2019-05-07:

The base64 encoded CA cert in the kubectl config file doesn't contain a newline after the certificate end tag. This isn't a problem for `kubectl` itself, but it is a problem for the golang k8s client library. When you run a controller using this config file, (example: ) you get an error message saying that CA is unknown:

Controller example repo: https://github.com/trstringer/k8s-controller-core-resource

```console
$ go build && ./k8s-controller-core-resource
INFO[0000] Successfully constructed k8s client
INFO[0000] Controller.Run: initiating
ERROR: logging before flag.Parse: E0507 14:07:01.479764 30683 reflector.go:205] k8s-controller-core-resource/controller.go:37: Failed to list *v1.Service: Get https://10.10.138.101:443/api/v1/namespaces/k8s-tengu-test/services?limit=500&resourceVersion=0: x509: certificate signed by unknown authority
```

```console
merlijn@howard:~/Desktop$ cat config | grep -oP 'certificate-authority-data: \K.*' | base64 --decode
-----BEGIN CERTIFICATE-----
MIIDODCCAiCgAwIBAgIJAPhq3GVu+mc5MA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMMDDEwLjEwLjEzOS41OTAeFw0xOTA0MjMxMzQ1MDhaFw0yOTA0MjAxMzQ1MDha
MBcxFTATBgNVBAMMDDEwLjEwLjEzOS41OTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMYc5dCt9BRq2Boil7gR4fpJbLJxOw5+ZF7UnTljDJJMNVyebpHV
Lm31FSO3NM+h8x01vuTMUlHLFWNmEa1penvUNPYWmq3wz87056FO6AiflMO/z88R
T02f14/N4Dl5+IAom17zb7SenvMJBX2sO1C9gxGnVv5HAqo7xTH7t1oibqfsgj6z
XGRZcOaGHpFEPrYhjKh/I6lRPMFctMKz6ROB58Ux60eMQVDdeugu7y3MZql7ZNQa
zLfrG1pdORasCUJTLT3eXHSdV3gdMppXWvJgQrRgSfqqtlF+8lIau1x8sk4KQQkY
mx6LssSDnbsEr0wNTLM7LIYR10FWPYhf2gUCAwEAAaOBhjCBgzAdBgNVHQ4EFgQU
dumpSQssby3YQgpwY31D1xuJrEAwRwYDVR0jBEAwPoAUdumpSQssby3YQgpwY31D
1xuJrEChG6QZMBcxFTATBgNVBAMMDDEwLjEwLjEzOS41OYIJAPhq3GVu+mc5MAwG
A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCA7iu3
rr7k+JecLvHvIjidcxUsqEDCiF/Gd2P4H4Sy0q/HR5xgtoc5/Th2YOG2nnk4iNFe
ouYpVsIOjvdUiuazB3sG7gprWVJ4c+BZ1zGY9vhiYnFDQQvBglTPAzQ7UtgtKFVV
2ZWBEPKOfyE66eCog6YpatlubXjZjjPo+Te8oFf7FjfzOa/l5/dU/B7U2bevfbZV
/kn0uKrFFBWTn11bDC4ByXNnaY6a8vJwWeGouNyIzOxbWw4do3jawUdeoNTYjs1n
wOzoip3oCDsRMgsoKF+XLQESdunP0W+Mr+jxJF+IdWrAlaQzNGauABW60G9uNh+t
4SUk8EV0D8EX/NbG
-----END CERTIFICATE-----merlijn@howard:~/Desktop$
```

Changing the base64-encoded certificate to include a newline fixes the issue.

```console
$ cat ~/.kube/config | grep -oP 'certificate-authority-data: \K.*' | base64 --decode
-----BEGIN CERTIFICATE-----
MIIDODCCAiCgAwIBAgIJAPhq3GVu+mc5MA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMMDDEwLjEwLjEzOS41OTAeFw0xOTA0MjMxMzQ1MDhaFw0yOTA0MjAxMzQ1MDha
MBcxFTATBgNVBAMMDDEwLjEwLjEzOS41OTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMYc5dCt9BRq2Boil7gR4fpJbLJxOw5+ZF7UnTljDJJMNVyebpHV
Lm31FSO3NM+h8x01vuTMUlHLFWNmEa1penvUNPYWmq3wz87056FO6AiflMO/z88R
T02f14/N4Dl5+IAom17zb7SenvMJBX2sO1C9gxGnVv5HAqo7xTH7t1oibqfsgj6z
XGRZcOaGHpFEPrYhjKh/I6lRPMFctMKz6ROB58Ux60eMQVDdeugu7y3MZql7ZNQa
zLfrG1pdORasCUJTLT3eXHSdV3gdMppXWvJgQrRgSfqqtlF+8lIau1x8sk4KQQkY
mx6LssSDnbsEr0wNTLM7LIYR10FWPYhf2gUCAwEAAaOBhjCBgzAdBgNVHQ4EFgQU
dumpSQssby3YQgpwY31D1xuJrEAwRwYDVR0jBEAwPoAUdumpSQssby3YQgpwY31D
1xuJrEChG6QZMBcxFTATBgNVBAMMDDEwLjEwLjEzOS41OYIJAPhq3GVu+mc5MAwG
A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCA7iu3
rr7k+JecLvHvIjidcxUsqEDCiF/Gd2P4H4Sy0q/HR5xgtoc5/Th2YOG2nnk4iNFe
ouYpVsIOjvdUiuazB3sG7gprWVJ4c+BZ1zGY9vhiYnFDQQvBglTPAzQ7UtgtKFVV
2ZWBEPKOfyE66eCog6YpatlubXjZjjPo+Te8oFf7FjfzOa/l5/dU/B7U2bevfbZV
/kn0uKrFFBWTn11bDC4ByXNnaY6a8vJwWeGouNyIzOxbWw4do3jawUdeoNTYjs1n
wOzoip3oCDsRMgsoKF+XLQESdunP0W+Mr+jxJF+IdWrAlaQzNGauABW60G9uNh+t
4SUk8EV0D8EX/NbG
-----END CERTIFICATE-----
```

```console
$ go build && ./k8s-controller-core-resource
INFO[0000] Successfully constructed k8s client
INFO[0000] Controller.Run: initiating
INFO[0000] Add service: k8s-tengu-test/sse-endpoint
INFO[0000] Controller.Run: cache sync complete
INFO[0000] Controller.runWorker: starting
INFO[0000] Controller.processNextItem: start
INFO[0000] Controller.processNextItem: object created detected: k8s-tengu-test/sse-endpoint
INFO[0000] TestHandler.ObjectCreated
INFO[0000] ResourceVersion: 2518213
INFO[0000] ExternalName: idlab-iot.tengu.io
INFO[0000] Phase: []
INFO[0000] Controller.runWorker: processing next item
INFO[0000] Controller.processNextItem: start
```

The base64 encoded CA cert in the kubectl config file doesn't contain a newline after the certificate end tag. This isn't a problem for `kubectl` itself, but it is a problem for the golang k8s client library. When you run a controller using this config file,  (example: ) you get an error message saying that CA is unknown:

Controller example repo: https://github.com/trstringer/k8s-controller-core-resource

```console
$ go build && ./k8s-controller-core-resource
INFO[0000] Successfully constructed k8s client          
INFO[0000] Controller.Run: initiating                   
ERROR: logging before flag.Parse: E0507 14:07:01.479764   30683 reflector.go:205] k8s-controller-core-resource/controller.go:37: Failed to list *v1.Service: Get https://10.10.138.101:443/api/v1/namespaces/k8s-tengu-test/services?limit=500&resourceVersion=0: x509: certificate signed by unknown authority
```

Changing the base64-encoded certificate to include a newline fixes the issue.

```console
$ go build && ./k8s-controller-core-resource
INFO[0000] Successfully constructed k8s client          
INFO[0000] Controller.Run: initiating                   
INFO[0000] Add service: k8s-tengu-test/sse-endpoint     
INFO[0000] Controller.Run: cache sync complete          
INFO[0000] Controller.runWorker: starting               
INFO[0000] Controller.processNextItem: start            
INFO[0000] Controller.processNextItem: object created detected: k8s-tengu-test/sse-endpoint 
INFO[0000] TestHandler.ObjectCreated                    
INFO[0000]     ResourceVersion: 2518213                 
INFO[0000]     ExternalName: idlab-iot.tengu.io         
INFO[0000]     Phase: []                                
INFO[0000] Controller.runWorker: processing next item   
INFO[0000] Controller.processNextItem: start
```