我目前正在尝试在 Kubernetes 集群上创建证书签名请求资源,然后批准它。我正在使用 go-client 执行此操作,但我面临审批流程的问题。
这里是负责定义 csr 结构体的函数:
func PopulateCSR(UserName string, csrPemBlock []byte) corev1.CertificateSigningRequest {
var seconds int32 = 315569260
usages := []corev1.KeyUsage{
"digital signature", "key encipherment", "client auth",
}
csr := corev1.CertificateSigningRequest{
TypeMeta: v1.TypeMeta{
Kind: "CertificateSigningRequest",
APIVersion: "certificates.k8s.io/v1",
},
ObjectMeta: v1.ObjectMeta{
Name: UserName + "-csr",
},
Spec: corev1.CertificateSigningRequestSpec{
Request: csrPemBlock,
SignerName: "kubernetes.io/kube-apiserver-client",
ExpirationSeconds: &seconds,
Usages: usages,
},
Status: corev1.CertificateSigningRequestStatus{
Conditions: []corev1.CertificateSigningRequestCondition{
{
Type: corev1.CertificateApproved,
Status: "True",
},
},
},
}
return csr
}
以下是负责在集群上创建 CSR 资源的函数:
func CreateCSR(csr *corev1.CertificateSigningRequest, clientSet *kubernetes.Clientset) {
_, err := clientSet.CertificatesV1().CertificateSigningRequests().Create(context.Background(), csr, v1.CreateOptions{})
if err != nil {
fmt.Printf("error while trying to create CSR: %v\n", err.Error())
os.Exit(1)
}
}
然后我尝试使用此功能批准 csr:
func approveCSR(csr *corev1.CertificateSigningRequest, clientSet *kubernetes.Clientset) {
csr.Status.Conditions = append(csr.Status.Conditions, corev1.CertificateSigningRequestCondition{
Type: corev1.CertificateApproved,
Reason: "User activation",
Message: "This CSR was approved",
LastUpdateTime: v1.Now(),
})
_, err := clientSet.CertificatesV1().CertificateSigningRequests().UpdateApproval(context.Background(), csr.ObjectMeta.Name, csr, v1.UpdateOptions{})
if err != nil {
fmt.Printf("error while trying to approve CSR: %v\n", err.Error())
os.Exit(1)
}
fmt.Println("CSR was successfully approved")
}
这样做时我遇到以下错误: 尝试批准 CSR 时出错:CertificateSigningRequest.certificates.k8s.io“user-csr”无效:status.conditions[0].status:必需值 退出状态1
因此,我没有使用此函数,而是尝试通过添加如下所示的 CertificateSigningRequestStatus 字段来调整 CSR 结构本身:
csr := corev1.CertificateSigningRequest{
TypeMeta: v1.TypeMeta{
Kind: "CertificateSigningRequest",
APIVersion: "certificates.k8s.io/v1",
},
ObjectMeta: v1.ObjectMeta{
Name: UserName + "-csr",
},
Spec: corev1.CertificateSigningRequestSpec{
Request: csrPemBlock,
SignerName: "kubernetes.io/kube-apiserver-client",
ExpirationSeconds: &seconds,
Usages: usages,
},
Status: corev1.CertificateSigningRequestStatus{
Conditions: []corev1.CertificateSigningRequestCondition{
{
Type: corev1.CertificateApproved,
Status: "True",
},
},
Certificate: nil,
},
}
但是此后集群上的 csr 状态仍处于待处理状态。我尝试将与 Spec 子资源中相同的 csrPemBlock 添加到证书而不是 nil,但没有得到积极的结果。有谁知道如何在创建证书时或之后批准证书?
我没有你的问题的具体答案,但这在这种情况下对我有帮助:
您能通过
kubectl certificate approve csr-name
成功批准CSR吗?如果是,我将以日志级别 8 执行 kubectl (kubectl certificate approve csr-name -v=8
)。
这会强制
kubectl
记录每个 api 请求,包括。请求和响应数据。如果您有此信息,您也许能够看到您的 go 代码缺少什么。
添加
Status
并将其设置为corev1.ConditionTrue
import (
...
certsv1 "k8s.io/api/certificates/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
...
)
csr.Status.Conditions = append(csr.Status.Conditions,
certsv1.CertificateSigningRequestCondition{
Status: corev1.ConditionTrue,
Type: certsv1.CertificateApproved,
Reason: "foo-bar,
Message: "foo-bar",
LastTransitionTime: metav1.Now(),
})