Issue type: bug
Issue description:
When using apiVersion: certificates.k8s.io/v1 in CertificateSigningRequest with signerName kubernetes.io/kube-apiserver-docker-desktop in docker desktop does not issue certificate. When using apiVersion: certificates.k8s.io/v1beta1 in CertificateSigningRequest then it does work.
OS Version/build: windows 10 Version 20H2 (OS Build 19042.630)
App version: docker desktop 2.5.0.1 (49550) stable
Kubernetes version in docker desktop: V1.19.3
Steps to reproduce
1. create certificate signing request
cat <<EOF | cfssl genkey - | cfssljson -bare whoami.default
{
"hosts": [
"whoami.default.svc.cluster.local"
],
"CN": "whoami.default.svc.cluster.local",
"key": {
"algo": "ecdsa",
"size": 256
}
}
EOF
output
2020/11/25 17:19:14 [INFO] generate received request
2020/11/25 17:19:14 [INFO] received CSR
2020/11/25 17:19:14 [INFO] generating key: ecdsa-256
2020/11/25 17:19:14 [INFO] encoded CSR
2. send Certificate Signing Request to kubernetes
cat <<EOF | kubectl apply -n default -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: whoami.default
spec:
request: $(cat whoami.default.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kube-apiserver-docker-desktop
usages:
- digital signature
- key encipherment
- server auth
EOF
output
certificatesigningrequest.certificates.k8s.io/whoami.default created
3. approve certificate
kubectl certificate approve whoami.default -n default
output
certificatesigningrequest.certificates.k8s.io/whoami.default approved
4. check certificate status
kubectl get csr whoami.default -n default
output
NAME AGE SIGNERNAME REQUESTOR CONDITION
whoami.default 95s kubernetes.io/kube-apiserver-docker-desktop docker-for-desktop Approved
5. download certificate
kubectl get csr whoami.default -n default -o json
output
{
"apiVersion": "certificates.k8s.io/v1",
"kind": "CertificateSigningRequest",
"metadata": {
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"certificates.k8s.io/v1\",\"kind\":\"CertificateSigningRequest\",\"metadata\":{\"annotations\":{},\"name\":\"whoami.default\"},\"spec\":{\"request\":\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkl6Q0J5d0lCQURBck1Ta3dKd1lEVlFRREV5QjNhRzloYldrdVpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbApjaTVzYjJOaGJEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJCWG1mblB2WHlwdHVGR0F2UVAwCnE4Q0VhMG1xeDRsUUFWeVZwVThWZVgrUDBTb3JWMGtUK2pmbENQM1QyRWpvNWhRa2RtclRqSUdiOGg5QkNjT0UKUG9XZ1BqQThCZ2txaGtpRzl3MEJDUTR4THpBdE1Dc0dBMVVkRVFRa01DS0NJSGRvYjJGdGFTNWtaV1poZFd4MApMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBjQU1FUUNJRzR5V1FQYitFb3hYNEdhCjd2SHFaa05NTU5JK0FrSlRVMWVlaHRqNTJVUjRBaUJnei82ZUxsUnp4b2N1QzBrMHlab3lmaHRKVTZsMTcyaEQKeVhkZDZ4T29BUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=\",\"signerName\":\"kubernetes.io/kube-apiserver-docker-desktop\",\"usages\":[\"digital signature\",\"key encipherment\",\"server auth\"]}}\n"
},
"creationTimestamp": "2020-11-25T16:19:51Z",
"managedFields": [
{
"apiVersion": "certificates.k8s.io/v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:annotations": {
".": {},
"f:kubectl.kubernetes.io/last-applied-configuration": {}
}
},
"f:spec": {
"f:request": {},
"f:signerName": {},
"f:usages": {}
}
},
"manager": "kubectl-client-side-apply",
"operation": "Update",
"time": "2020-11-25T16:19:51Z"
},
{
"apiVersion": "certificates.k8s.io/v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:status": {
"f:conditions": {
".": {},
"k:{\"type\":\"Approved\"}": {
".": {},
"f:lastTransitionTime": {},
"f:lastUpdateTime": {},
"f:message": {},
"f:reason": {},
"f:status": {},
"f:type": {}
}
}
}
},
"manager": "kubectl",
"operation": "Update",
"time": "2020-11-25T16:21:19Z"
}
],
"name": "whoami.default",
"resourceVersion": "31189",
"selfLink": "/apis/certificates.k8s.io/v1/certificatesigningrequests/whoami.default",
"uid": "5d8536d4-1a49-4b98-b3ac-15b54d9462f1"
},
"spec": {
"groups": [
"system:masters",
"system:authenticated"
],
"request": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkl6Q0J5d0lCQURBck1Ta3dKd1lEVlFRREV5QjNhRzloYldrdVpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbApjaTVzYjJOaGJEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJCWG1mblB2WHlwdHVGR0F2UVAwCnE4Q0VhMG1xeDRsUUFWeVZwVThWZVgrUDBTb3JWMGtUK2pmbENQM1QyRWpvNWhRa2RtclRqSUdiOGg5QkNjT0UKUG9XZ1BqQThCZ2txaGtpRzl3MEJDUTR4THpBdE1Dc0dBMVVkRVFRa01DS0NJSGRvYjJGdGFTNWtaV1poZFd4MApMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBjQU1FUUNJRzR5V1FQYitFb3hYNEdhCjd2SHFaa05NTU5JK0FrSlRVMWVlaHRqNTJVUjRBaUJnei82ZUxsUnp4b2N1QzBrMHlab3lmaHRKVTZsMTcyaEQKeVhkZDZ4T29BUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=",
"signerName": "kubernetes.io/kube-apiserver-docker-desktop",
"usages": [
"digital signature",
"key encipherment",
"server auth"
],
"username": "docker-for-desktop"
},
"status": {
"conditions": [
{
"lastTransitionTime": "2020-11-25T16:21:19Z",
"lastUpdateTime": "2020-11-25T16:21:19Z",
"message": "This CSR was approved by kubectl certificate approve.",
"reason": "KubectlApprove",
"status": "True",
"type": "Approved"
}
]
}
}
In status field above condition there should be a certificate entry but there is none.
For comparison this is a working csr with
apiVersion: certificates.k8s.io/v1beta1
2. send Certificate Signing Request to kubernetes
cat <<EOF | kubectl apply -n default -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: whoami.default
spec:
request: $(cat whoami.default.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
output
Warning: certificates.k8s.io/v1beta1 CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use certificates.k8s.io/v1 CertificateSigningRequest
certificatesigningrequest.certificates.k8s.io/whoami.default created
3. approve certificate
kubectl certificate approve whoami.default -n default
output
certificatesigningrequest.certificates.k8s.io/whoami.default approved
4. check certificate status
kubectl get csr whoami.default -n default
NAME AGE SIGNERNAME REQUESTOR CONDITION
whoami.default 30s kubernetes.io/legacy-unknown docker-for-desktop Approved,Issued
5. download certificate
kubectl get csr whoami.default -n default -o json
output
{
"apiVersion": "certificates.k8s.io/v1",
"kind": "CertificateSigningRequest",
"metadata": {
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"certificates.k8s.io/v1beta1\",\"kind\":\"CertificateSigningRequest\",\"metadata\":{\"annotations\":{},\"name\":\"whoami.default\"},\"spec\":{\"request\":\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkl6Q0J5d0lCQURBck1Ta3dKd1lEVlFRREV5QjNhRzloYldrdVpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbApjaTVzYjJOaGJEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJCWG1mblB2WHlwdHVGR0F2UVAwCnE4Q0VhMG1xeDRsUUFWeVZwVThWZVgrUDBTb3JWMGtUK2pmbENQM1QyRWpvNWhRa2RtclRqSUdiOGg5QkNjT0UKUG9XZ1BqQThCZ2txaGtpRzl3MEJDUTR4THpBdE1Dc0dBMVVkRVFRa01DS0NJSGRvYjJGdGFTNWtaV1poZFd4MApMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBjQU1FUUNJRzR5V1FQYitFb3hYNEdhCjd2SHFaa05NTU5JK0FrSlRVMWVlaHRqNTJVUjRBaUJnei82ZUxsUnp4b2N1QzBrMHlab3lmaHRKVTZsMTcyaEQKeVhkZDZ4T29BUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=\",\"usages\":[\"digital signature\",\"key encipherment\",\"server auth\"]}}\n"
},
"creationTimestamp": "2020-11-25T17:12:05Z",
"managedFields": [
{
"apiVersion": "certificates.k8s.io/v1beta1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:annotations": {
".": {},
"f:kubectl.kubernetes.io/last-applied-configuration": {}
}
},
"f:spec": {
"f:request": {},
"f:signerName": {},
"f:usages": {}
}
},
"manager": "kubectl-client-side-apply",
"operation": "Update",
"time": "2020-11-25T17:12:05Z"
},
{
"apiVersion": "certificates.k8s.io/v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:status": {
"f:certificate": {}
}
},
"manager": "kube-controller-manager",
"operation": "Update",
"time": "2020-11-25T17:12:24Z"
},
{
"apiVersion": "certificates.k8s.io/v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:status": {
"f:conditions": {
".": {},
"k:{\"type\":\"Approved\"}": {
".": {},
"f:lastTransitionTime": {},
"f:lastUpdateTime": {},
"f:message": {},
"f:reason": {},
"f:status": {},
"f:type": {}
}
}
}
},
"manager": "kubectl",
"operation": "Update",
"time": "2020-11-25T17:12:24Z"
}
],
"name": "whoami.default",
"resourceVersion": "36895",
"selfLink": "/apis/certificates.k8s.io/v1/certificatesigningrequests/whoami.default",
"uid": "8056a082-fe36-4488-9eb7-ade8366b305f"
},
"spec": {
"groups": [
"system:masters",
"system:authenticated"
],
"request": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkl6Q0J5d0lCQURBck1Ta3dKd1lEVlFRREV5QjNhRzloYldrdVpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbApjaTVzYjJOaGJEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJCWG1mblB2WHlwdHVGR0F2UVAwCnE4Q0VhMG1xeDRsUUFWeVZwVThWZVgrUDBTb3JWMGtUK2pmbENQM1QyRWpvNWhRa2RtclRqSUdiOGg5QkNjT0UKUG9XZ1BqQThCZ2txaGtpRzl3MEJDUTR4THpBdE1Dc0dBMVVkRVFRa01DS0NJSGRvYjJGdGFTNWtaV1poZFd4MApMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBjQU1FUUNJRzR5V1FQYitFb3hYNEdhCjd2SHFaa05NTU5JK0FrSlRVMWVlaHRqNTJVUjRBaUJnei82ZUxsUnp4b2N1QzBrMHlab3lmaHRKVTZsMTcyaEQKeVhkZDZ4T29BUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=",
"signerName": "kubernetes.io/legacy-unknown",
"usages": [
"digital signature",
"key encipherment",
"server auth"
],
"username": "docker-for-desktop"
},
"status": {
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNZakNDQVVxZ0F3SUJBZ0lSQU1xblBlV0sxNWNtQWJjeWlDNlh6ZkV3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURFeE1qVXhOekEzTWpSYUZ3MHlNVEV4TWpVeApOekEzTWpSYU1Dc3hLVEFuQmdOVkJBTVRJSGRvYjJGdGFTNWtaV1poZFd4MExuTjJZeTVqYkhWemRHVnlMbXh2ClkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVGZVorYys5ZkttMjRVWUM5QS9TcndJUnIKU2FySGlWQUJYSldsVHhWNWY0L1JLaXRYU1JQNk4rVUkvZFBZU09qbUZDUjJhdE9NZ1p2eUgwRUp3NFEraGFOaQpNR0F3RGdZRFZSMFBBUUgvQkFRREFnV2dNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01CTUF3R0ExVWRFd0VCCi93UUNNQUF3S3dZRFZSMFJCQ1F3SW9JZ2QyaHZZVzFwTG1SbFptRjFiSFF1YzNaakxtTnNkWE4wWlhJdWJHOWoKWVd3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDeEZUT1NHbFYxS2o4bGphQWw3bFVWK3lTRHlGMGZGbC9IQQo1bXRhZmlBVnZUS2xoU3MycU9Kc1ZyRmZ1VGtoajE4SDdxOG5OYjNJdUVlTk85UTJUeGp3T25CSGlRR2I0clpwCk9QWFd0TUxOazc0TmVEaVZPbHJSZTd1dTNSTTNnck00OEh4MjlCaVlFNm5TVTB0d2FzRDl2Ym9SMUswbXlLVFAKTDJFdGt2LytWVXRIR1VFTmxxbk9GN1dsMGxsWmpUY1Q5cFlKZXVLN0hZek11SjNqNkR4RjVzNUJBcDV6SXVEagphYUdhRFpaVGY2Qk8xbjFrdElMWlBScGVCNmRBNk1zaTduUFdSZTgwbXdubFVqbVZRVk4rTjJSN09NNjZyZVAzCjRkN1l2NldKZmZJYUVXSjBhQmpESERKQmtkR0lPZk0vY2svQTAyTnBjWDRsbCt5T1dEST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
"conditions": [
{
"lastTransitionTime": "2020-11-25T17:12:24Z",
"lastUpdateTime": "2020-11-25T17:12:24Z",
"message": "This CSR was approved by kubectl certificate approve.",
"reason": "KubectlApprove",
"status": "True",
"type": "Approved"
}
]
}
}
In status you find the certificate