grafeas/kritis

Helm install fails on k8s v1.19

microhod opened this issue · 11 comments

Expected Behavior

Following the standalone install doc, running setup-grafeas.sh and setup-kritis.sh installs correctly on all released k8s versions.

(I've tested and this does work on 1.17 and 1.18, so it seems the issue is limited to 1.19)

Actual Behavior

kritis-preinstall fails with the following log

time="2020-10-01T16:17:20Z" level=info msg="contents of /var/run/secrets/kubernetes.io/serviceaccount/namespace: default"
time="2020-10-01T16:17:20Z" level=info msg="running preinstall\nversion v0.2.2\ncommit: bea073f2a2f299af94363dc399b7780fde8f2afc"
Error from server (NotFound): certificatesigningrequests.certificates.k8s.io "tls-webhook-secret-cert" not found
Error from server (NotFound): secrets "tls-webhook-secret" not found
time="2020-10-01T16:17:21Z" level=info msg="[cfssl genkey -]"
time="2020-10-01T16:17:21Z" level=info msg="{\"csr\":\"-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----\\n\",\"key\":\"-----BEGIN EC PRIVATE KEY-----...-----END EC PRIVATE KEY-----\\n\"}\n"
time="2020-10-01T16:17:21Z" level=info msg="[cfssljson -bare server]"
time="2020-10-01T16:17:21Z" level=info
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
    name: tls-webhook-secret-cert
    labels:
        kritis.grafeas.io/install: ""
spec:
    groups:
    - system:authenticated
    request: <REDACTED>
    usages:
    - digital signature
    - key encipherment
    - server auth
time="2020-10-01T16:17:22Z" level=info msg="[kubectl apply -f -]"
time="2020-10-01T16:17:22Z" level=info msg="certificatesigningrequest.certificates.k8s.io/tls-webhook-secret-cert created\n"
time="2020-10-01T16:17:22Z" level=info msg="[kubectl certificate approve tls-webhook-secret-cert]"
time="2020-10-01T16:17:22Z" level=info msg="No resources found\n"
time="2020-10-01T16:17:22Z" level=error msg="error: no kind \"CertificateSigningRequest\" is registered for version \"certificates.k8s.io/v1\" in scheme \"k8s.io/kubectl/pkg/scheme/scheme.go:28\"\n"
time="2020-10-01T16:17:22Z" level=fatal msg="exit status 1"

Steps to Reproduce the Problem

Environment

  • Windows Version10.0.19041 Build 19041 (using wsl 1 to run shell scripts)
  • helm v3.3.1
  • kubectl v1.18.0
  • minikube v1.13.0
minikube start --kubernetes-version="v1.19.0"
git clone https://github.com/grafeas/kritis
cd ./kritis/docs/standalone
./setup_grafeas.sh
./setup_kritis.sh
kubectl logs kritis-preinstall

CertificateSigningRequest changed in v1.19 in such a way that this process breaks.

https://v1-19.docs.kubernetes.io/docs/setup/release/notes/#api-change

The CertificateSigningRequest API is promoted to certificates.k8s.io/v1 with the following changes:

  • spec.signerName is now required, and requests for kubernetes.io/legacy-unknown are not allowed to be created via
    the certificates.k8s.io/v1 API

When you run the helm install ... it generates:

$ kubectl get csr
NAME                      AGE    SIGNERNAME                            REQUESTOR                                                              CONDITION
tls-webhook-secret-cert   75s    kubernetes.io/legacy-unknown          system:serviceaccount:kritis-charts:kritis-preinstall-serviceaccount   Pending

Any work around or fix available to install in k8s 1.19+ versions?

As far as I can tell, there are no workarounds. The areas in which these changes need to be made are in a compiled binary from an external (to this repo) code base, which I couldn't find.

jsbah commented

Yes, @aysylu , this is the issue.

@jsbah thanks for confirming! @FearTheBadger @sriramachelankuri @microhod would the preference be to migrate everything on k8s 1.19+, or is there a need for the earlier versions support as well?

I think supporting v1.19+ would be fine. There's already 2 versions ahead of 1.19 now.

Hi, running into the same issue trying to set up Grafeas and Kritis in standalone mode.

Are there any suggestions on how to fix this or which parts needs updating? I can spend some time, but a pointer where to start investigating would be great.

Have someone found a solution to make this run in 1.19+ k8s versions? I'm running to the same problem.

I found out in the preinstall config (https://github.com/grafeas/kritis/blob/master/helm-hooks/preinstall/preinstall.go) there's the kind: CertificateSigningRequest. Is it possible to change this yaml definition to change 2 features:

  1. Update the apiVersion from v1beta1 to v1
  2. Add the signerName: kubernetes.io/kube-apiserver-client line in order to avoid the kubernetes.io/legacy-unknown as @FearTheBadger just mentioned it.

It'll look something like this.

kind: CertificateSigningRequest
metadata:
    name: {{ .Name }}
    labels:
        {{ .KritisInstallLabel }}: ""
spec:
    groups:
    - system:authenticated
    request: {{ .Certificate }}
    signerName: kubernetes.io/kube-apiserver-client
    usages:
    - digital signature
    - key encipherment
    - server auth```

Sud8 commented

@aysylu I am running into the same issue in K8s version 1.23.8. Any pointers to fix this?

I am also facing the same issue when i am trying to run setup.kritis.sh

time="2023-06-07T10:21:06Z" level=info msg="contents of /var/run/secrets/kubernetes.io/serviceaccount/namespace: default"
time="2023-06-07T10:21:06Z" level=info msg="running preinstall\nversion v0.2.2\ncommit: bea073f"
Error from server (NotFound): certificatesigningrequests.certificates.k8s.io "tls-webhook-secret-cert" not found
Error from server (NotFound): secrets "tls-webhook-secret" not found
time="2023-06-07T10:21:06Z" level=info msg="[cfssl genkey -]"
time="2023-06-07T10:21:06Z" level=info msg="{"csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIICFzCCAbwCAQAwADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIQWlnchveFp\nbomumlfLGWVvSFx1Pkc5fK4xwzXo22HW9LOAbtTkTHiIy2ynYSFncUKKlTZRHeUt\nipt6MmmFOLOgggFYMIIBVAYJKoZIhvcNAQkOMYIBRTCCAUEwggE9BgNVHREEggE0\nMIIBMIIWa3JpdGlzLXZhbGlkYXRpb24taG9va4Iia3JpdGlzLXZhbGlkYXRpb24t\naG9vay5rdWJlLXN5c3RlbYIea3JpdGlzLXZhbGlkYXRpb24taG9vay5kZWZhdWx0\ngiJrcml0aXMtdmFsaWRhdGlvbi1ob29rLmRlZmF1bHQuc3ZjgiJrcml0aXMtdmFs\naWRhdGlvbi1ob29rLWRlcGxveW1lbnRzgi5rcml0aXMtdmFsaWRhdGlvbi1ob29r\nLWRlcGxveW1lbnRzLmt1YmUtc3lzdGVtgiprcml0aXMtdmFsaWRhdGlvbi1ob29r\nLWRlcGxveW1lbnRzLmRlZmF1bHSCLmtyaXRpcy12YWxpZGF0aW9uLWhvb2stZGVw\nbG95bWVudHMuZGVmYXVsdC5zdmMwCgYIKoZIzj0EAwIDSQAwRgIhALby9z/hFeUP\nKVylXKiRbuHC0Efxd9bDNTlAvuWjgu8lAiEA7KhGLf4N+edWumVZ8YpLzt3Ta/gI\nv6RXoDdaBQufjbY=\n-----END CERTIFICATE REQUEST-----\n","key":"-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIKt0lwdMxSyIIXGXOWcVgiYMRL+JhnJOGb6f+QmIUpYCoAoGCCqGSM49\nAwEHoUQDQgAEhBaWdyG94Wluia6aV8sZZW9IXHU+Rzl8rjHDNejbYdb0s4Bu1ORM\neIjLbKdhIWdxQoqVNlEd5S2Km3oyaYU4sw==\n-----END EC PRIVATE KEY-----\n"}\n"
time="2023-06-07T10:21:06Z" level=info msg="[cfssljson -bare server]"
time="2023-06-07T10:21:06Z" level=info
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: tls-webhook-secret-cert
labels:
kritis.grafeas.io/install: ""
spec:
groups:
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ0Z6Q0NBYndDQVFBd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJJUVdsbmNodmVGcApib211bWxmTEdXVnZTRngxUGtjNWZLNHh3elhvMjJIVzlMT0FidFRrVEhpSXkyeW5ZU0ZuY1VLS2xUWlJIZVV0CmlwdDZNbW1GT0xPZ2dnRllNSUlCVkFZSktvWklodmNOQVFrT01ZSUJSVENDQVVFd2dnRTlCZ05WSFJFRWdnRTAKTUlJQk1JSVdhM0pwZEdsekxYWmhiR2xrWVhScGIyNHRhRzl2YTRJaWEzSnBkR2x6TFhaaGJHbGtZWFJwYjI0dAphRzl2YXk1cmRXSmxMWE41YzNSbGJZSWVhM0pwZEdsekxYWmhiR2xrWVhScGIyNHRhRzl2YXk1a1pXWmhkV3gwCmdpSnJjbWwwYVhNdGRtRnNhV1JoZEdsdmJpMW9iMjlyTG1SbFptRjFiSFF1YzNaamdpSnJjbWwwYVhNdGRtRnMKYVdSaGRHbHZiaTFvYjI5ckxXUmxjR3h2ZVcxbGJuUnpnaTVyY21sMGFYTXRkbUZzYVdSaGRHbHZiaTFvYjI5cgpMV1JsY0d4dmVXMWxiblJ6TG10MVltVXRjM2x6ZEdWdGdpcHJjbWwwYVhNdGRtRnNhV1JoZEdsdmJpMW9iMjlyCkxXUmxjR3h2ZVcxbGJuUnpMbVJsWm1GMWJIU0NMbXR5YVhScGN5MTJZV3hwWkdGMGFXOXVMV2h2YjJzdFpHVncKYkc5NWJXVnVkSE11WkdWbVlYVnNkQzV6ZG1Nd0NnWUlLb1pJemowRUF3SURTUUF3UmdJaEFMYnk5ei9oRmVVUApLVnlsWEtpUmJ1SEMwRWZ4ZDliRE5UbEF2dVdqZ3U4bEFpRUE3S2hHTGY0TitlZFd1bVZaOFlwTHp0M1RhL2dJCnY2UlhvRGRhQlF1ZmpiWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
usages:
- digital signature
- key encipherment
- server auth
time="2023-06-07T10:21:07Z" level=info msg="[kubectl apply -f -]"
time="2023-06-07T10:21:07Z" level=info
time="2023-06-07T10:21:07Z" level=error msg="error: unable to recognize "STDIN": no matches for kind "CertificateSigningRequest" in version "certificates.k8s.io/v1beta1"\n"
time="2023-06-07T10:21:07Z" level=fatal msg="exit status 1"

@aysylu Is there any proper documentation how to resolve this error..need this as soon as possible...i am unable to solve this issue..

This pre-install pod is still failing in v1.19 minikube cluster..

I am using 1.23 version and i am not able to pass this pre-install stage..i can see that @judavi has worked around this issue but i am not able to get what exaclty to do to solve this issue in this docs..
Anyone know how to solve this issue..Is there any mistake in the configuration part from my end i am missing..i am not able to figure it out...
@aysylu @Sud8 @carlosbmg