How to create a "CertificateSigningRequest" with apiVersion "certificates.k8s.io/v1" for a webhook

Question

I have a wehook running in my cluster.

I created a certificate and signed it successfully.

certificate configuration:

cat > csr.conf <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = s-controller.ns-controller
DNS.2 = s-controller.ns-controller.svc
EOF

I them create the certificate as following:

openssl genrsa -out server-key.pem 2048
openssl req -new -key server-key.pem -subj "/CN=s-controller.ns-controller.svc" -out server.csr -config csr.conf

certificate signing request (v1beta1)

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
    name: csr-controller
spec:
    groups:
    - system:authenticated
    request: $(cat server.csr | base64 | tr -d '\n')
    usages:
    - digital signature
    - key encipherment
    - server auth
EOF

This worked just fine!

Since I updated my kubernetes version, I get the following warning: Warning: certificates.k8s.io/v1beta1 CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use certificates.k8s.io/v1, I updated the CertificateSigningRequest so now it is as following:

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
    name: csr-controller
spec:
    groups:
    - system:authenticated
    request: $(cat server.csr | base64 | tr -d '\n')
    signerName: kubernetes.io/kube-apiserver-client
    usages:
    - digital signature
    - key encipherment
    - client auth
EOF

And now the api server fails to connect to my webhook: Post "https://s-controller.ns-controller.svc:443/mutate?timeout=30s": x509: certificate specifies an incompatible key usage

I tried updateding the certificate configuration to extendedKeyUsage = clientAuth but it didnt help.

Any idea what is the correct signerName and configuration to the certificates.k8s.io/v1 apiVersion

Answer 1

I haven't managed to create a CertificateSigningRequest as I wished, HOWEVER I bypassed the issue by create my own CA as following:

First, I edited my certificate configurations file so it will include a commonName and currect extendedKeyUsage :

cat > csr.conf <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
CN = s-controller.ns-controller.svc
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = s-controller.ns-controller
DNS.2 = s-controller.ns-controller.svc
EOF

Generate CA certificate (notice the -days 365)

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=admission_ca"

Generate tls key and certificdate

openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -config csr.conf
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -extensions v3_req -extfile csr.conf

Create a kubernetes tls secret for the webhook

kubectl create secret tls webhook-tls --cert=server.crt --key=server.key

Set the CA_BUNDLE

export CA_BUNDLE=$(cat ca.crt | base64 | tr -d '\n')

Remove all generated files

rm ca.crt 
rm ca.key 
rm server.key
rm server.csr
rm server.crt

In my webhhok, I have a volume volumeMount:

volume:

volumes:
- name: tls-vol
    secret:
      secretName: webhook-tls

volumeMount:

volumeMounts:
- name: tls-vol
  mountPath: /etc/webhook/certs
  readOnly: true

And the comantainer args

args:
- -tlsCertFile=/etc/webhook/certs/tls.crt
- -tlsKeyFile=/etc/webhook/certs/tls.key