I'm glad I could help. On Sep 28, 2017 2:00 PM, "Henning Sprang" <henning.spr...@gmail.com> wrote:
> Hi Nathan, > > Thanks for the hint. > > The result of the command is: > > Certificate purposes: > > SSL client : No > > SSL client CA : No > > SSL server : Yes > > SSL server CA : No > > Netscape SSL server : Yes > > Netscape SSL server CA : No > > S/MIME signing : No > > S/MIME signing CA : No > > S/MIME encryption : No > > S/MIME encryption CA : No > > CRL signing : No > > CRL signing CA : No > > Any Purpose : Yes > > Any Purpose CA : Yes > > OCSP helper : Yes > > OCSP helper CA : No > > > > So, when I compare this to the certificate that my minicube installation > uses, the SSL Client part is missing and should be set to yes probably. > > > I cannot compare it to the certificate automatically added to my kubectl > config file when creating the cluster because I have no idea how to make a > valid certificate ascii file from the stuff in the kubectl config. > > > So the question was, how can I create a certificate / certificate request > / key? > > > It turned out to be > > > cat <<EOF | kubectl create -f - > > apiVersion: certificates.k8s.io/v1beta1 > > kind: CertificateSigningRequest > > metadata: > > name: $CERTIFICATE_NAME > > spec: > > groups: > > - system:authenticated > > request: $(cat $CSR_FILE | base64 | tr -d '\n') > > usages: > > - digital signature > > - key encipherment > > - client auth > > EOF > > > Where the last line "client auth" used to be "server auth" before. > > With client auth it works now! Thanks for the hint. > > > Henning > > > > > On Thursday, September 28, 2017 at 5:51:24 PM UTC+2, Nathan Taylor wrote: >> >> It's interesting that the logs are stating that it is a keyusage error. >> Can you get the keyusage for your generated cert and the ca.crt you used to >> generate it? The command to do so is: >> >> openssl x509 -in <certificate to check> -purpose -noout -text >> >> Nathan >> >> >> >> On Wednesday, September 27, 2017 at 6:39:54 AM UTC-6, Henning Sprang >> wrote: >>> >>> Hi, >>> >>> After setting up a small cluster I want to enable other users (and a >>> jenkins server runing outside the cluster) to access the Cluster and manage >>> deployments, preferredly with an own namespace for each application >>> consisting of multiple services. >>> >>> So taking the information from https://docs.bitnami.com/ >>> kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/ >>> #use-case-1-create-user-with-limited-namespace-access and >>> https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ I >>> figured out I have to create a user with this script: >>> >>> https://gist.github.com/henning/2dda0b704426c66e78e355703a8dc177 >>> >>> The problem is, when I try to run a command with this user/certificate, >>> I keep getting errors - on the command line: >>> >>> "error: You must be logged in to the server (the server has asked for >>> the client to provide credentials)" >>> >>> and even if this sounds like the client didn't even send a certificate, >>> in the log of the api server it says: >>> >>> "E0926 22:00:34.165133 5 authentication.go:58] Unable to >>> authenticate the request due to an error: x509: certificate specifies an >>> incompatible key usage" >>> >>> so actually it seems like the client sends a certificate, but it's >>> somehow not correct/sufficient. >>> >>> I searched the web to find out what to do about it and tried multiple >>> things(for example adding an Usage extension to the CSR, switched between >>> creating the key and certificate request with the openssl client as well as >>> cfssl, and with different versions of openssl on MacOS and Linux) - all >>> with the same result. >>> >>> So, my questions: >>> >>> * any further thing I can check for to solve this? >>> * is the way I try to do it generally right, or would it be >>> better/easier to create a password file like described here? >>> https://kubernetes.io/docs/admin/authentication/#static-password-file >>> >>> Thanks in advance, and please let me know if there is any more >>> information needed that I might have forgotten. >>> >>> Henning >>> >> -- > You received this message because you are subscribed to a topic in the > Google Groups "Kubernetes user discussion and Q&A" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/kubernetes-users/-J0OHXORqeQ/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > kubernetes-users+unsubscr...@googlegroups.com. > To post to this group, send email to kubernetes-users@googlegroups.com. > Visit this group at https://groups.google.com/group/kubernetes-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
