Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crane-agent pod crashing with kind k8s 1.24 #345

Closed
figo opened this issue Jun 4, 2022 · 2 comments · May be fixed by #349
Closed

crane-agent pod crashing with kind k8s 1.24 #345

figo opened this issue Jun 4, 2022 · 2 comments · May be fixed by #349
Assignees
@zsnmwy
Labels
kind/bug Something isn't working

Comments

@figo
Copy link

figo commented Jun 4, 2022
edited

Describe the bug
crane-agent pod crashing with k8s 1.24

Reproduce steps

  1. create k8s 1.24 with kind on laptop
  2. follow https://docs.gocrane.io/dev/installation/ to install crane
  3. crane-agent crashing with error

Expected behavior
no crash on k8s 1.24
and it works fine with k8s 1.23.6

Screenshots
the crane-agent pod has following error log

Failed to create noderesource tsp noderesource-kind-control-plane : Internal error occurred: failed calling webhook "vprediction.crane.io": failed to call webhook: Post "[https://craned.crane-system.svc:443/validate-prediction-crane-io-v1alpha1-timeseriesprediction?timeout=10s](https://craned.crane-system.svc/validate-prediction-crane-io-v1alpha1-timeseriesprediction?timeout=10s)": x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "crane")
F0604 19:18:32.945614       1 agent.go:60] Internal error occurred: failed calling webhook "vprediction.crane.io": failed to call webhook: Post "[https://craned.crane-system.svc:443/validate-prediction-crane-io-v1alpha1-timeseriesprediction?timeout=10s](https://craned.crane-system.svc/validate-prediction-crane-io-v1alpha1-timeseriesprediction?timeout=10s)": x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "crane")

Environment (please complete the following information):

  • K8S Version: 1.24
  • Crane Version: 0.5.0
  • Browser [e.g. chrome, safari]
@figo figo added the kind/bug Something isn't working label Jun 4, 2022
@zsnmwy
Copy link
Member

zsnmwy commented Jun 6, 2022

The cert used insecure algorithm SHA1-RSA.
That will be blocked by crypto/x509. golang/go#41682

I propose we announce in Go 1.17 that we'll remove support in Go 1.18, and provide a GODEBUG opt-out until Go 1.19.

And kind v0.14.0 is built by Go 1.18.2.

So you need to renew the cert by SHA256 if you want to use the crane on kind v0.14.0.

We will fix it before the next release.

$ echo LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lKQU9vSDdESmN5UkM4TUEwR0NTcUdTSWIzRFFFQkJRVUFNQkF4RGpBTUJnTlYKQkFNTUJXTnlZVzVsTUI0WERUSXlNREl5TWpFME16SXhOVm9YRFRNeU1ESXlNREUwTXpJeE5Wb3dJakVnTUI0RwpBMVVFQXd3WFkzSmhibVZrTG1OeVlXNWxMWE41YzNSbGJTNXpkbU13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBCkE0SUJEd0F3Z2dFS0FvSUJBUURLQ1VOc2JUT0NNUWMyL0pzWS9UVVp2NE0rM3h5OGE3K0ZTSkNFMTgyaWVJQnAKcWNTQXZKY2tCVjZodG0yUS8ycnR2M0QzWDJNL0NVYlg4M3dLY2tsSWttaC9oRlUrSkc2TVdKcmgwVUQzc1ZjTgpuTFlDaDFEczU0aGVOV3ZvTXJiZ1NRZkFYTVNhRmVwVU01M3NYdXIzcEozQmVCYTZDTGJKM0paeFdGR0l2L21XCkZKVFRhOS80MTI5TUNHZjIrTzN6aDZtSEdlZXBYQ0hQejQ1TlRKbmd4Q01nN3AxaTY2ano5UURLMk9JREdrbG0KS1ZoTEhWU2tFL1VMU3VWZVA4Wit5b1RJYndOVys0dVJFOSsydGFPaGZlSFcySTgxbHZ4VFZVZVRDbnFQa01mTAo4NVpKTnROUnJ6OSszSXJnYmpGaThSdHZDNlF1QkdkN0JHdGQ1YTFSQWdNQkFBR2pnWVV3Z1lJd0NRWURWUjBUCkJBSXdBREFMQmdOVkhROEVCQU1DQmVBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3SUdDQ3NHQVFVRkJ3TUIKTUVrR0ExVWRFUVJDTUVDQ0YyTnlZVzVsWkM1amNtRnVaUzF6ZVhOMFpXMHVjM1pqZ2lWamNtRnVaV1F1WTNKaApibVV0YzNsemRHVnRMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUJZCmtBcDVnWDQ1N2w0TFpDNkIyYUsxVWpHSzRFam4vUTRuSEhUWGNGVW0vN0tZeVJ5N1d2UjNmd1d3TnFNNDNrMXIKYjArS2Y4SDVvQUV5c2VJeXVVYW5ZVUQ0SGNHR1d0Yk05SnhpbDh4a1dQRy9yaEJJYkhEUkdYSkpXRTI0NVU5VwpOcGxsRmovT2xRYW45Y24rZGNqMGRzOWxHUHFzTVNlNXJ5eUZqSVRoeE1Za0FpZlJKak0yZkxGamExZTduR2lnCnhKZkFZK0RYbWJiQTJLN0Z0dmJHZUJjTXhCbFQwUEdlUWhJZVk2RVRJUDNRbHBnMnltdDJpejAvVXIzTzl1VmIKUFBJOWEzYjV0WG1nRUM3KzUwWVVYbHMwZUpEZlhWLzdlWS95SW45VGZjajJEb2d0cFYzM3JMWHovNS9XcWl3OQplQUxlSENmaDhmYzhld0RZT1JLUgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg | base64 -d | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ea:07:ec:32:5c:c9:10:bc
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN = crane
        Validity
            Not Before: Feb 22 14:32:15 2022 GMT
            Not After : Feb 20 14:32:15 2032 GMT
        Subject: CN = craned.crane-system.svc
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ca:09:43:6c:6d:33:82:31:07:36:fc:9b:18:fd:
                    35:19:bf:83:3e:df:1c:bc:6b:bf:85:48:90:84:d7:
                    cd:a2:78:80:69:a9:c4:80:bc:97:24:05:5e:a1:b6:
                    6d:90:ff:6a:ed:bf:70:f7:5f:63:3f:09:46:d7:f3:
                    7c:0a:72:49:48:92:68:7f:84:55:3e:24:6e:8c:58:
                    9a:e1:d1:40:f7:b1:57:0d:9c:b6:02:87:50:ec:e7:
                    88:5e:35:6b:e8:32:b6:e0:49:07:c0:5c:c4:9a:15:
                    ea:54:33:9d:ec:5e:ea:f7:a4:9d:c1:78:16:ba:08:
                    b6:c9:dc:96:71:58:51:88:bf:f9:96:14:94:d3:6b:
                    df:f8:d7:6f:4c:08:67:f6:f8:ed:f3:87:a9:87:19:
                    e7:a9:5c:21:cf:cf:8e:4d:4c:99:e0:c4:23:20:ee:
                    9d:62:eb:a8:f3:f5:00:ca:d8:e2:03:1a:49:66:29:
                    58:4b:1d:54:a4:13:f5:0b:4a:e5:5e:3f:c6:7e:ca:
                    84:c8:6f:03:56:fb:8b:91:13:df:b6:b5:a3:a1:7d:
                    e1:d6:d8:8f:35:96:fc:53:55:47:93:0a:7a:8f:90:
                    c7:cb:f3:96:49:36:d3:51:af:3f:7e:dc:8a:e0:6e:
                    31:62:f1:1b:6f:0b:a4:2e:04:67:7b:04:6b:5d:e5:
                    ad:51
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:craned.crane-system.svc, DNS:craned.crane-system.svc.cluster.local
    Signature Algorithm: sha1WithRSAEncryption
         58:90:0a:79:81:7e:39:ee:5e:0b:64:2e:81:d9:a2:b5:52:31:
         8a:e0:48:e7:fd:0e:27:1c:74:d7:70:55:26:ff:b2:98:c9:1c:
         bb:5a:f4:77:7f:05:b0:36:a3:38:de:4d:6b:6f:4f:8a:7f:c1:
         f9:a0:01:32:b1:e2:32:b9:46:a7:61:40:f8:1d:c1:86:5a:d6:
         cc:f4:9c:62:97:cc:64:58:f1:bf:ae:10:48:6c:70:d1:19:72:
         49:58:4d:b8:e5:4f:56:36:99:65:16:3f:ce:95:06:a7:f5:c9:
         fe:75:c8:f4:76:cf:65:18:fa:ac:31:27:b9:af:2c:85:8c:84:
         e1:c4:c6:24:02:27:d1:26:33:36:7c:b1:63:6b:57:bb:9c:68:
         a0:c4:97:c0:63:e0:d7:99:b6:c0:d8:ae:c5:b6:f6:c6:78:17:
         0c:c4:19:53:d0:f1:9e:42:12:1e:63:a1:13:20:fd:d0:96:98:
         36:ca:6b:76:8b:3d:3f:52:bd:ce:f6:e5:5b:3c:f2:3d:6b:76:
         f9:b5:79:a0:10:2e:fe:e7:46:14:5e:5b:34:78:90:df:5d:5f:
         fb:79:8f:f2:22:7f:53:7d:c8:f6:0e:88:2d:a5:5d:f7:ac:b5:
         f3:ff:9f:d6:aa:2c:3d:78:02:de:1c:27:e1:f1:f7:3c:7b:00:
         d8:39:12:91

Here are some tips to renew the cert.

  1. Add -sha256 flag in /deploy/scripts/gencerts.sh

crane/deploy/scripts/gencerts.sh

Lines 1 to 14 in 4ba0b2c

workdir=${1}
keydir=$workdir/keys
mkdir -p $keydir
echo Generating the CA cert and private key to ${keydir}
openssl req -days 3650 -nodes -new -x509 -keyout ${keydir}/ca.key -out ${keydir}/ca.crt -subj "/CN=crane"
echo Generating the private key for the webhook server
openssl genrsa -out ${keydir}/tls.key 2048
# Generate a Certificate Signing Request (CSR) for the private key, and sign it with the private key of the CA.
echo Signing the CSR, and generating cert into ${keydir}
openssl req -new -key ${keydir}/tls.key -subj "/CN=craned.crane-system.svc" -config ${workdir}/scripts/webhook.csr \
| openssl x509 -req -days 3650 -CA ${keydir}/ca.crt -CAkey ${keydir}/ca.key -CAcreateserial -out ${keydir}/tls.crt -extensions v3_req -extfile ${workdir}/scripts/webhook.csr 

# Result
workdir=${1}
keydir=$workdir/keys
mkdir -p $keydir

echo Generating the CA cert and private key to ${keydir}
openssl req -days 3650 -sha256 -nodes -new -x509 -keyout ${keydir}/ca.key -out ${keydir}/ca.crt -subj "/CN=crane"

echo Generating the private key for the webhook server
openssl genrsa -out ${keydir}/tls.key 2048

# Generate a Certificate Signing Request (CSR) for the private key, and sign it with the private key of the CA.
echo Signing the CSR, and generating cert into ${keydir}
openssl req -new -sha256 -key ${keydir}/tls.key -subj "/CN=craned.crane-system.svc" -config ${workdir}/scripts/webhook.csr \
    | openssl x509 -req -sha256 -days 3650 -CA ${keydir}/ca.crt -CAkey ${keydir}/ca.key -CAcreateserial -out ${keydir}/tls.crt -extensions v3_req -extfile ${workdir}/scripts/webhook.csr
  1. Exec the script and get some new files - ca.crt tls.crt tls.key.
  2. Upgurade these resources

crane/deploy/craned/deployment.yaml

Lines 79 to 87 in 4ba0b2c

apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lKQU9vSDdESmN5UkM4TUEwR0NTcUdTSWIzRFFFQkJRVUFNQkF4RGpBTUJnTlYKQkFNTUJXTnlZVzVsTUI0WERUSXlNREl5TWpFME16SXhOVm9YRFRNeU1ESXlNREUwTXpJeE5Wb3dJakVnTUI0RwpBMVVFQXd3WFkzSmhibVZrTG1OeVlXNWxMWE41YzNSbGJTNXpkbU13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBCkE0SUJEd0F3Z2dFS0FvSUJBUURLQ1VOc2JUT0NNUWMyL0pzWS9UVVp2NE0rM3h5OGE3K0ZTSkNFMTgyaWVJQnAKcWNTQXZKY2tCVjZodG0yUS8ycnR2M0QzWDJNL0NVYlg4M3dLY2tsSWttaC9oRlUrSkc2TVdKcmgwVUQzc1ZjTgpuTFlDaDFEczU0aGVOV3ZvTXJiZ1NRZkFYTVNhRmVwVU01M3NYdXIzcEozQmVCYTZDTGJKM0paeFdGR0l2L21XCkZKVFRhOS80MTI5TUNHZjIrTzN6aDZtSEdlZXBYQ0hQejQ1TlRKbmd4Q01nN3AxaTY2ano5UURLMk9JREdrbG0KS1ZoTEhWU2tFL1VMU3VWZVA4Wit5b1RJYndOVys0dVJFOSsydGFPaGZlSFcySTgxbHZ4VFZVZVRDbnFQa01mTAo4NVpKTnROUnJ6OSszSXJnYmpGaThSdHZDNlF1QkdkN0JHdGQ1YTFSQWdNQkFBR2pnWVV3Z1lJd0NRWURWUjBUCkJBSXdBREFMQmdOVkhROEVCQU1DQmVBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3SUdDQ3NHQVFVRkJ3TUIKTUVrR0ExVWRFUVJDTUVDQ0YyTnlZVzVsWkM1amNtRnVaUzF6ZVhOMFpXMHVjM1pqZ2lWamNtRnVaV1F1WTNKaApibVV0YzNsemRHVnRMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUJZCmtBcDVnWDQ1N2w0TFpDNkIyYUsxVWpHSzRFam4vUTRuSEhUWGNGVW0vN0tZeVJ5N1d2UjNmd1d3TnFNNDNrMXIKYjArS2Y4SDVvQUV5c2VJeXVVYW5ZVUQ0SGNHR1d0Yk05SnhpbDh4a1dQRy9yaEJJYkhEUkdYSkpXRTI0NVU5VwpOcGxsRmovT2xRYW45Y24rZGNqMGRzOWxHUHFzTVNlNXJ5eUZqSVRoeE1Za0FpZlJKak0yZkxGamExZTduR2lnCnhKZkFZK0RYbWJiQTJLN0Z0dmJHZUJjTXhCbFQwUEdlUWhJZVk2RVRJUDNRbHBnMnltdDJpejAvVXIzTzl1VmIKUFBJOWEzYjV0WG1nRUM3KzUwWVVYbHMwZUpEZlhWLzdlWS95SW45VGZjajJEb2d0cFYzM3JMWHovNS9XcWl3OQplQUxlSENmaDhmYzhld0RZT1JLUgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBeWdsRGJHMHpnakVITnZ5YkdQMDFHYitEUHQ4Y3ZHdS9oVWlRaE5mTm9uaUFhYW5FCmdMeVhKQVZlb2JadGtQOXE3Yjl3OTE5alB3bEcxL044Q25KSlNKSm9mNFJWUGlSdWpGaWE0ZEZBOTdGWERaeTIKQW9kUTdPZUlYalZyNkRLMjRFa0h3RnpFbWhYcVZET2Q3RjdxOTZTZHdYZ1d1Z2kyeWR5V2NWaFJpTC81bGhTVQowMnZmK05kdlRBaG45dmp0ODRlcGh4bm5xVndoejgrT1RVeVo0TVFqSU82ZFl1dW84L1VBeXRqaUF4cEpaaWxZClN4MVVwQlAxQzBybFhqL0dmc3FFeUc4RFZ2dUxrUlBmdHJXam9YM2gxdGlQTlpiOFUxVkhrd3A2ajVESHkvT1cKU1RiVFVhOC9mdHlLNEc0eFl2RWJid3VrTGdSbmV3UnJYZVd0VVFJREFRQUJBb0lCQUZsQmVHajVZVzBkN2RzTQpCQlVwSUFGdEN6V0dhZktRQTMrRmpGc3ozNlBzYW9iRHVvMUpROWhsQ3VhVWFwbEpUZHNVM1hwYnlNTzdmSEhCCkhzYWFzT2QvenV5dThOM1FTSXAyUm82RzNKWFE0ZTJna3dSUTlaNkR0MG92ZmFtS1ppSjJBUmVwcEMyU2l3Q0MKQVQzQXZUdUVuVEV3dFpHZ2NlaUNMSENNblJDMVBrR2JaYlVCQlU3K3E5ZGpPU25oOC9iQ0w0cVkxK2RpbGZMSQplMU1VbTBTSmN6MlgwWU1VLzFYMm9aT2I4UVBXYjM1QjJxcG9ESjhzbFlKdStRUjgxeFlsWWhsTnpvaThyRThCCmhlRVcxa3dLMDlqcmFTbE5zZEx1WW1iNC9mVzFqbTgzL1crMmNnUkVyU2hRdFQwOENMQ3dPVER2NjFYeUhFbGoKb1d6UlNrRUNnWUVBNVV3UE9nOVpBc0FRMXE2N1dicktaUXlaOFdkR1dPV1hUK09lYi80MG5vd1JzVVhWMWlRWQozbDlzeTVHYnNSRnFkaXd4UXUzNVJ0RjhqbDM1L1AvNGhyeENwS2tNTDdZaG1xUFNqelNWT2ZTWlJDbVhDdEdvCnVnbzhFUmQ4RzhGbmJJM1RUdlplS1BqaVRieER3Y3ZqUFdWODJONzZhK21ucVVUQ0ZlNDlZeWtDZ1lFQTRaQjgKTnJJNWFZSHFrUWNPLzRldzBsOUJ4SkViQ2thQ2liNG9ORzBzcXpSQ01KTmFXNTBYWnFHcjQ1eE80TnNnaWZjTQo1ZU9ueWhtMGd1K0ZJZ1c0REpVL1JiZ1BiQngzNUlpREIxUERHY05nZmYxVnVxTldYTTVHQ2RQck04UDRtYzlnCm1RYUtxaGZPYlJIUUQyc08rekxjTGh3b1dRdVRWdnlzSlliVnBla0NnWUVBNCtNWjV3eEYzTFBpaUZzVW5ITkcKbi9OTU5GMzl6bkF3V0JmUzZWOXVFSDBKUUhRMXVDUWNDell2dklvMGdHRGN2Q0hqdTY4ajVqeGhYR1VPQldLcApMODkvTklOR04weitUT0N3YmQ5R3lGak8wcTI3RGVlZGwzaUFoa1FlOXI3YStVcGpUc0VRaUF3RGJsckR4S0hNCmNNS2l1QyswRnZnYngrRXNPL3VSU3pFQ2dZRUF1WU1uWmFTMjZ6dGFPK1RlUlBMSVRuemhqbFQ1TkQ1QlpoL3EKMlJOaFJYMDVZdElONG9NVWwrZ25nbzh2b0djWUg5Lzd6NmFvZk9NZlB3RFhNZUFhT3Q4VXByWjJtS2ZoUXlleQorL2U3NGhoNTU2VFBPU3pVL29iM3UyVjdiNXVoZm42OEo1N2x0SGJYNDRSZTVnOWF4dVpSaCtySWxGT2MzbEg1CkV2UU9DdUVDZ1lBQ3Z2UjBoVW5jMjNqYXNNYXNwUFVGTVFyeTFaTGtEdEcvWHMrUVlWSEFKWXpES2RaRUdoM1QKb3NNQng2STc2bDM3WjVEY05yb1hJZFJBUVJXVUxpUWIyelZMaG9LYjdzRXRmbDZmOUFnVnNXQjIvUjVVeHVKdQpKdHA1ZzNpUjZyd3dJZWJwYjRTR1VlcDByZXp5eFlwWXhaTHcyZHYwUEtYc3U0NzdCMFA3Vnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
name: webhook-server-tls
namespace: crane-system
type: kubernetes.io/tls

All caBundles in webhooks.yaml

crane/deploy/craned/webhooks.yaml

Line 11 in 4ba0b2c

caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNuRENDQVlRQ0NRQ292Q0JOblRVSGZqQU5CZ2txaGtpRzl3MEJBUXNGQURBUU1RNHdEQVlEVlFRRERBVmoKY21GdVpUQWVGdzB5TWpBeU1qSXhORE15TVRWYUZ3MHpNakF5TWpBeE5ETXlNVFZhTUJBeERqQU1CZ05WQkFNTQpCV055WVc1bE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNHVDWTl0YzhicFBxCm9rbFhFbDNZdk1XT280bjI3RWVDTW1rRmorbEE1aGxnMW1EanRlcUhXRVUzUDdJMURsTko4YXcraEdtN2hLdUMKZlFNT2xCQTJ4anNONi8vS0tuNU50YTB1cWY2T0NJeXFXQmtCRzV1WGRQRkoyODVmU1FRS1VqeHBwWmphK3NKLwpXOHJkWnFZVzN5eDc1S3kvZHBYVXlWVDVjbkxaU0V3d25yaDVQeVlZQ2ZNaVN4d2V6TzUzV09ZNmFlL2g2UmtjCjg3VmpMTktWajdhbXgyWUxWVi8zZHJvajFMRmpnU0gzUU1uTVk3ay8xeW1WeWM5YmwrUHFZMmhEZW40Qi85d24KeWYxMTJldnZlckk5bzJ3YVpPQmRUWVlxVVBRQkwzMmFYQWJaU1pHT3QyMk9VdzJKdDZwaGdQOGVYbmsyNzAwWgpMYlZ5TFI2SDBRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCU1hxQUZ2WVo4dXFHZlIyWmE1TEZzCi94amNXdFpZU0ppVldUM2UxbVFZaytwcHdHMUQ1ZFlzeTd0M2haUDNQRjJ3emxlT3h6ZUdJSGdqd21uc2pQWlMKakpHK2RqMW93OEt0SVY2WDdPR1hEaWxnVnJqazloRWFJOHJTSFlUeGplT2U1cnlLVVZ3MERRUXBmckg1VFVnVAp1WHpYTHdUaHlMWnF5ZDMyaTA3UDBRcGxuOUllRFVzMkdvTktsUE5NVHFLSXliQVg2WW83UWJxMUdLT2xwbXVhCklYbU9lcWJtM0NUY1FYMjNpVktPZzVEZ3R0eTAyNWRFc2s5cjJEV29NVjZtZWtKYmowUzIyd2p6a2Q2OUg5UmsKU1RlbmJ5bUt3bUNZUWJTd2RIZ2J4WjlVSUUwcDI5QkttR2pUdUp4d1B0NE0ySEVhbnBVbzZqSzVVdWZsd2dpbQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

@zsnmwy zsnmwy self-assigned this Jun 6, 2022
@zsnmwy zsnmwy mentioned this issue Jun 6, 2022
Open
@zsnmwy zsnmwy mentioned this issue Jun 27, 2022
Merged
@Abirdcfly
Copy link

A temp and simple fix way is just let SHA1-RSA running.
Add env in kube-apiserver.yaml

docker exec -ti kind-control-plane bash
root@kind-control-plane:/#  apt update && apt install vim -y
root@kind-control-plane:/#  vim /etc/kubernetes/manifests/kube-apiserver.yaml

Add this:
env:
- name: GODEBUG
  value: x509sha1=1

@zsnmwy zsnmwy closed this as completed Jul 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zsnmwy zsnmwy

Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
3 participants
@figo @Abirdcfly @zsnmwy