Hi Team,
I was following steps as mentioned in Kubernetes Sidecar Client | Ziti.
While adding jwt via k8s secrets, it complained like,
x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error” while trying to verify candidate authority certificate “kubernetes”)
It showed something like this
root@ubuntu:/home/ubuntu# kubectl create secret generic Docker-Ziti-Tunnel-Test.jwt --from-file=/home/ubuntu/DockerVolumes/NetFoundry/Docker-Ziti-Tunnel-Test/Docker-Ziti-Tunnel-Test.jwt
error: failed to create secret Post “https://192.168.3.4:6443/api/v1/namespaces/default/secrets?fieldManager=kubectl-create”: x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error” while trying to verify candidate authority certificate “kubernetes”)
root@ubuntu:/home/ubuntu#
I am running it on
OS: Ubuntu 20.04
K8S:
root@ubuntu:/home/ubuntu# kubeadm version
kubeadm version: &version.Info{Major:“1”, Minor:“21”, GitVersion:“v1.21.2”, GitCommit:“092fbfbf53427de67cac1e9fa54aaa09a28371d7”, GitTreeState:“clean”, BuildDate:“2021-06-16T12:57:56Z”, GoVersion:“go1.16.5”, Compiler:“gc”, Platform:“linux/amd64”}
I have already created the endpoint via NF console in the network.
I didn’t get any documentation in NF site or topic in https://openziti.discourse.group/.
Please help with the solution.
Thanks
Sameer
Hi Sameer,
The unknown authority error seems to indicate that your selected kubeconfig context lacks a cluster definition for the Kubernetes API. Are you able to run any kubectl
command at all? For example:
kubectl get secrets
You may inspect the kubeconfig with this command.
kubectl config view
You may find that the CA’s certificate is known by a filepath or encoded inline in kubeconfig file. Either way, the CA certificate data must be the issuer of the server certificate of the k8s API at https://192.168.3.4:6443/.
Hi,
You were correct, I didn’t set KUBECONFIG path. Once set the command executed. But it still threw error like below
root@ubuntu:/home/ubuntu# kubectl create secret generic Docker-Ziti-Tunnel-Test.jwt --from-file=/home/ubuntu/DockerVolumes/NetFoundry/Docker-Ziti-Tunnel-Test/Docker-Ziti-Tunnel-Test.jwt
error: failed to create secret Secret “Docker-Ziti-Tunnel-Test.jwt” is invalid: metadata.name: Invalid value: “Docker-Ziti-Tunnel-Test.jwt”: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, ‘-’ or ‘.’, and must start and end with an alphanumeric character (e.g. ‘example.com’, regex used for validation is ‘a-z0-9?(.a-z0-9?)*’)
root@ubuntu:/home/ubuntu/K8S/#
Did i miss anything here ?
~Sameer
Sameer,
The syntax of the command is a bit awkward. The value of the --from-file
parameter has two parts separated by a =
character:
- the key name under which to store the secret data
- the file from which to obtain the secret data
In this case the Kubernetes secret and the key name are both “tunnel-sidecar.jwt”. This key name allows the mounted secret to appear as the expected filename in the container.
kubectl create secret generic tunnel-sidecar.jwt --from-file tunnel-sidecar.jwt=${PWD}/Linux1.jwt
Hi Ken,
I was able to execute the script by changing the name of the secret key to tunnel-sidecar.jwt. Also ziti tunnel on side car is working fine. Test client was able to access the service i configured over NF.
Thanks
Sameer
1 Like