Update CertificateSigningRequest apiversion to V1

[Kartik494]

Fixes #587

Updated `CertificateSigningRequest apiversion` to `V1`

[Kartik494]

/release-note-none

[Kartik494]

@xing-yang Could You please take a look

[Kartik494]

When i update apiVersion to v1 ,i found we have to add signerName to it else it will fail.
After adding as suggested by in issue it works fine
ot-validation-service --secret snapshot-validation-secret --namespace default
creating certs in tmpdir /tmp/tmp.YauekRshRw
Generating RSA private key, 2048 bit long modulus (2 primes)
...............+++++
.........................................+++++
e is 65537 (0x010001)
certificatesigningrequest.certificates.k8s.io/snapshot-validation-service.default created
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
snapshot-validation-service.default 0s kubernetes.io/kube-apiserver-client minikube-user Pending
certificatesigningrequest.certificates.k8s.io/snapshot-validation-service.default approved
secret/snapshot-validation-secret created

Here is the outputs for pods and deployments
kubectl get pods -n cr
NAME READY STATUS RESTARTS AGE
snapshot-validation-deployment-6fdf6d59ff-5k4xx 1/1 Running 0 19m
snapshot-validation-deployment-6fdf6d59ff-5xl4q 1/1 Running 0 19m
snapshot-validation-deployment-6fdf6d59ff-clsls 1/1 Running 0 19m

kubectl get deployment -n cr
NAME READY UP-TO-DATE AVAILABLE AGE
snapshot-validation-deployment 3/3 3 3 19m

[xing-yang]

Can you run tests with invalid snapshots and verify that they are rejected by the webhook?

[xing-yang]

It's better to indent 2 spaces rather than 1. Can you change this back?

[xing-yang]

Can you change this back? There's no need to make this change.

[Kartik494]

Done.PTAL

[xing-yang]

It's better to indent 2 spaces rather than 1. Can you change this back?

[Kartik494]

Sure i will addressed this changes

[Kartik494]

@xing-yang i have addressed the changes regarding space indentation. I have validate the invalid snapshot v1 yaml for testing with webhook server as described in README and got the output as
kubectl create -f ./examples/kubernetes/invalid-snapshot-v1.yaml error: unable to recognize "./examples/kubernetes/invalid-snapshot-v1.yaml": no matches for kind "VolumeSnapshot" in version "snapshot.storage.k8s.io/v1"
Please let me know if this is right way to check the script or any other test i have to run.
Thanks!

[xing-yang]

@lajiao117 Does this PR fix your problem?

[lajiao117]

@lajiao117 Does this PR fix your problem?

@xing-yang didn't, i used the signerName: kubernetes.io/kube-apiserver-client ,the webhook logs this err:
http: TLS handshake error from 10.244.0.0:30789: remote error: tls: bad certificate

k8s version is:v1.21.2

[Kartik494]

@lajiao117 @xing-yang i have checked this in my environment and it's running fine. @lajiao117 if it's possible could you try this on another k8s cluster to recheck it. i have used minikube and kubeadm for respective versions

[lajiao117]

@Kartik494 i recheck another k8s cluster ,it's the same err

i use the v1beta1 it works well

[lajiao117]

@Kartik494 i used the webhook: https://github.com/kubernetes-csi/external-snapshotter/tree/v3.0.3
the csr yaml:

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${csrName}
spec:
groups:

• system:authenticated
  signerName: kubernetes.io/kube-apiserver-client
  request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')
  usages:
• digital signature
• key encipherment
• client auth
  EOF

[Kartik494]

SO this error occur in latest release also i.e 4.2.1?

[lajiao117]

SO this error occur in latest release also i.e 4.2.1?

@Kartik494 i just try 4.2.1,it logs the same err

[Kartik494]

@lajiao117 Thanks for the update i got the output as
kubectl logs snapshot-validation-deployment-6fdf6d59ff-2rxcz I1022 09:04:58.308948 1 certwatcher.go:129] Updated current TLS certificate Starting webhook server I1022 09:04:58.309270 1 webhook.go:182] Starting certificate watcher

[Kartik494]

i have doubt in the script file that is it ok to change usage attribute to client from server? my CSR got stuck in pending state? @xing-yang @lajiao117 any idea on this?.Please suggest

[Kartik494]

Please refer this documentation here there is a specific term for use as client in authorization i.e client auth

[lajiao117]

Please refer this documentation here there is a specific term for use as client in authorization i.e client auth

@Kartik494 i readed the doc, the script is no diffirent from the doc,

[humblec]

Why do we change or remove the server auth ?

[Kartik494]

HI @humblec i have not any exact idea of this, i am following certificate signing request template as describe in docs . So i have to keep it as server authorisation here? Any help on this would be appreciated. Thanks

[lajiao117]

signerName: kubernetes.io/kubelet-serving

[lajiao117]

use v1 version, signerName: kubernetes.io/kubelet-serving the organizations must be ["system:nodes"

openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=system:node:${service}.${namespace}.svc;/O=system:nodes" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${csrName}
spec:
groups:

• system:authenticated
  request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kubelet-serving
  usages:
• digital signature
• key encipherment
• server auth
  EOF

[lajiao117]

use v1 version, signerName: kubernetes.io/kubelet-serving the organizations must be ["system:nodes"

openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=system:node:${service}.${namespace}.svc;/O=system:nodes" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf

cat <<EOF | kubectl create -f - apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: ${csrName} spec: groups:

• system:authenticated
  request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kubelet-serving
  usages:
• digital signature
• key encipherment
• server auth
  EOF

@Kartik494 this script is ok for v1 version

[Kartik494]

@lajiao117 Thanks for helping me out for this script ,it's working fine in my environment too.I have added a commit for the same.

[Kartik494]

@xing-yang @humblec Could you please take a look at this updated commit . Thanks

[xing-yang]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Kartik494, xing-yang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [xing-yang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[xing-yang]

@Kartik494 after this PR is merged, can you backport to release-5.0 branch?

[Kartik494]

@xing-yang sure i will raise a PR for this.

[xing-yang]

I think this actually needs a release note.