Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue talking to Kube API secure #31

Open
Rizbe opened this issue Mar 10, 2017 · 3 comments
Open

Issue talking to Kube API secure #31

Rizbe opened this issue Mar 10, 2017 · 3 comments
Labels
Status: Awaiting Response

Comments

@Rizbe
Copy link

Rizbe commented Mar 10, 2017
edited by majormoses
Loading

Converted my SSL certs using;
openssl x509 -pubkey -noout -in ca.pem > ca.pub

./check-kube-nodes-ready.rb  -s https://IP:port/api/ --token-file /etc/kubernetes/token --ca-file /etc/kubernetes/cacert.pem  --key /etc/kubernetes/ca-key.pub --cert /etc/kubernetes/ca.pub 
Check failed to run: Unable to read client certificate: nested asn1 error, ["/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugins-kubernetes-0.1.2/lib/sensu-plugins-kubernetes/client.rb:68:in `initialize'", "/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugins-kubernetes-0.1.2/lib/sensu-plugins-kubernetes/client.rb:68:in `new'", "/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugins-kubernetes-0.1.2/lib/sensu-plugins-kubernetes/client.rb:68:in `kubeclient'", "/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugins-kubernetes-0.1.2/lib/sensu-plugins-kubernetes/cli.rb:77:in `initialize'", "/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugin-1.4.4/lib/sensu-plugin/cli.rb:57:in `new'", "/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugin-1.4.4/lib/sensu-plugin/cli.rb:57:in `block in <class:CLI>'"]

Running Ubuntu 14:04 with Sensu 28.2
@majormoses
Copy link
Member

I assume this is self signed?

@geekofalltrades
Copy link

More readable version of your command line:

./check-kube-nodes-ready.rb \
-s https://IP:port/api/ \
--token-file /etc/kubernetes/token \
--ca-file /etc/kubernetes/cacert.pem \
--key /etc/kubernetes/ca-key.pub \
--cert /etc/kubernetes/ca.pub

First, you should be using either --cert and --key or --token-file, not both. Kubernetes authentication options are documented here: https://kubernetes.io/docs/admin/authentication/ --cert and --key are for X509 Client Cert auth, and --token-file is for Static Token File auth.

When using --key, you need to provide the private key associated with the cert, not the public key. And then, that will only work if the apiserver is configured correctly with the --client-ca-file option.

Finally, I don't think you want the /api URL on the end of your apiserver in this call. You should have scheme, host, and port there.

@majormoses
Copy link
Member

@Rizbe does that help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Awaiting Response
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@majormoses @geekofalltrades @Rizbe