Docker Community Forums

Share and learn in the Docker community.

CertificateSigningRequest with certificates.k8s.io/v1 in kubernetes 1.19.3 not working

Issue type: bug
Issue description:
When using apiVersion: certificates.k8s.io/v1 in CertificateSigningRequest with signerName kubernetes.io/kube-apiserver-docker-desktop in docker desktop does not issue certificate. When using apiVersion: certificates.k8s.io/v1beta1 in CertificateSigningRequest then it does work.

OS Version/build: windows 10 Version 20H2 (OS Build 19042.630)
App version: docker desktop 2.5.0.1 (49550) stable
Kubernetes version in docker desktop: V1.19.3

Steps to reproduce

1. create certificate signing request

cat <<EOF | cfssl genkey - | cfssljson -bare whoami.default
{
  "hosts": [
    "whoami.default.svc.cluster.local"
  ],
  "CN": "whoami.default.svc.cluster.local",
  "key": {
    "algo": "ecdsa",
    "size": 256
  }
}
EOF

output

2020/11/25 17:19:14 [INFO] generate received request
2020/11/25 17:19:14 [INFO] received CSR
2020/11/25 17:19:14 [INFO] generating key: ecdsa-256
2020/11/25 17:19:14 [INFO] encoded CSR

2. send Certificate Signing Request to kubernetes

cat <<EOF | kubectl apply -n default -f  -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: whoami.default
spec:
  request: $(cat whoami.default.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kube-apiserver-docker-desktop
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

output

certificatesigningrequest.certificates.k8s.io/whoami.default created

3. approve certificate
kubectl certificate approve whoami.default -n default

output

certificatesigningrequest.certificates.k8s.io/whoami.default approved

4. check certificate status
kubectl get csr whoami.default -n default

output

NAME             AGE   SIGNERNAME                                    REQUESTOR            CONDITION
whoami.default   95s   kubernetes.io/kube-apiserver-docker-desktop   docker-for-desktop   Approved

5. download certificate
kubectl get csr whoami.default -n default -o json

output

{
    "apiVersion": "certificates.k8s.io/v1",
    "kind": "CertificateSigningRequest",
    "metadata": {
        "annotations": {
            "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"certificates.k8s.io/v1\",\"kind\":\"CertificateSigningRequest\",\"metadata\":{\"annotations\":{},\"name\":\"whoami.default\"},\"spec\":{\"request\":\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkl6Q0J5d0lCQURBck1Ta3dKd1lEVlFRREV5QjNhRzloYldrdVpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbApjaTVzYjJOaGJEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJCWG1mblB2WHlwdHVGR0F2UVAwCnE4Q0VhMG1xeDRsUUFWeVZwVThWZVgrUDBTb3JWMGtUK2pmbENQM1QyRWpvNWhRa2RtclRqSUdiOGg5QkNjT0UKUG9XZ1BqQThCZ2txaGtpRzl3MEJDUTR4THpBdE1Dc0dBMVVkRVFRa01DS0NJSGRvYjJGdGFTNWtaV1poZFd4MApMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBjQU1FUUNJRzR5V1FQYitFb3hYNEdhCjd2SHFaa05NTU5JK0FrSlRVMWVlaHRqNTJVUjRBaUJnei82ZUxsUnp4b2N1QzBrMHlab3lmaHRKVTZsMTcyaEQKeVhkZDZ4T29BUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=\",\"signerName\":\"kubernetes.io/kube-apiserver-docker-desktop\",\"usages\":[\"digital signature\",\"key encipherment\",\"server auth\"]}}\n"
        },
        "creationTimestamp": "2020-11-25T16:19:51Z",
        "managedFields": [
            {
                "apiVersion": "certificates.k8s.io/v1",
                "fieldsType": "FieldsV1",
                "fieldsV1": {
                    "f:metadata": {
                        "f:annotations": {
                            ".": {},
                            "f:kubectl.kubernetes.io/last-applied-configuration": {}
                        }
                    },
                    "f:spec": {
                        "f:request": {},
                        "f:signerName": {},
                        "f:usages": {}
                    }
                },
                "manager": "kubectl-client-side-apply",
                "operation": "Update",
                "time": "2020-11-25T16:19:51Z"
            },
            {
                "apiVersion": "certificates.k8s.io/v1",
                "fieldsType": "FieldsV1",
                "fieldsV1": {
                    "f:status": {
                        "f:conditions": {
                            ".": {},
                            "k:{\"type\":\"Approved\"}": {
                                ".": {},
                                "f:lastTransitionTime": {},
                                "f:lastUpdateTime": {},
                                "f:message": {},
                                "f:reason": {},
                                "f:status": {},
                                "f:type": {}
                            }
                        }
                    }
                },
                "manager": "kubectl",
                "operation": "Update",
                "time": "2020-11-25T16:21:19Z"
            }
        ],
        "name": "whoami.default",
        "resourceVersion": "31189",
        "selfLink": "/apis/certificates.k8s.io/v1/certificatesigningrequests/whoami.default",
        "uid": "5d8536d4-1a49-4b98-b3ac-15b54d9462f1"
    },
    "spec": {
        "groups": [
            "system:masters",
            "system:authenticated"
        ],
        "request": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkl6Q0J5d0lCQURBck1Ta3dKd1lEVlFRREV5QjNhRzloYldrdVpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbApjaTVzYjJOaGJEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJCWG1mblB2WHlwdHVGR0F2UVAwCnE4Q0VhMG1xeDRsUUFWeVZwVThWZVgrUDBTb3JWMGtUK2pmbENQM1QyRWpvNWhRa2RtclRqSUdiOGg5QkNjT0UKUG9XZ1BqQThCZ2txaGtpRzl3MEJDUTR4THpBdE1Dc0dBMVVkRVFRa01DS0NJSGRvYjJGdGFTNWtaV1poZFd4MApMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBjQU1FUUNJRzR5V1FQYitFb3hYNEdhCjd2SHFaa05NTU5JK0FrSlRVMWVlaHRqNTJVUjRBaUJnei82ZUxsUnp4b2N1QzBrMHlab3lmaHRKVTZsMTcyaEQKeVhkZDZ4T29BUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=",
        "signerName": "kubernetes.io/kube-apiserver-docker-desktop",
        "usages": [
            "digital signature",
            "key encipherment",
            "server auth"
        ],
        "username": "docker-for-desktop"
    },
    "status": {
        "conditions": [
            {
                "lastTransitionTime": "2020-11-25T16:21:19Z",
                "lastUpdateTime": "2020-11-25T16:21:19Z",
                "message": "This CSR was approved by kubectl certificate approve.",
                "reason": "KubectlApprove",
                "status": "True",
                "type": "Approved"
            }
        ]
    }
}

In status field above condition there should be a certificate entry but there is none.

For comparison this is a working csr with

apiVersion: certificates.k8s.io/v1beta1

2. send Certificate Signing Request to kubernetes

cat <<EOF | kubectl apply -n default -f  -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: whoami.default
spec:
  request: $(cat whoami.default.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

output

Warning: certificates.k8s.io/v1beta1 CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use certificates.k8s.io/v1 CertificateSigningRequest
certificatesigningrequest.certificates.k8s.io/whoami.default created

3. approve certificate
kubectl certificate approve whoami.default -n default

output

certificatesigningrequest.certificates.k8s.io/whoami.default approved

4. check certificate status
kubectl get csr whoami.default -n default

NAME             AGE   SIGNERNAME                     REQUESTOR            CONDITION
whoami.default   30s   kubernetes.io/legacy-unknown   docker-for-desktop   Approved,Issued

5. download certificate
kubectl get csr whoami.default -n default -o json

output

{
    "apiVersion": "certificates.k8s.io/v1",
    "kind": "CertificateSigningRequest",
    "metadata": {
        "annotations": {
            "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"certificates.k8s.io/v1beta1\",\"kind\":\"CertificateSigningRequest\",\"metadata\":{\"annotations\":{},\"name\":\"whoami.default\"},\"spec\":{\"request\":\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkl6Q0J5d0lCQURBck1Ta3dKd1lEVlFRREV5QjNhRzloYldrdVpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbApjaTVzYjJOaGJEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJCWG1mblB2WHlwdHVGR0F2UVAwCnE4Q0VhMG1xeDRsUUFWeVZwVThWZVgrUDBTb3JWMGtUK2pmbENQM1QyRWpvNWhRa2RtclRqSUdiOGg5QkNjT0UKUG9XZ1BqQThCZ2txaGtpRzl3MEJDUTR4THpBdE1Dc0dBMVVkRVFRa01DS0NJSGRvYjJGdGFTNWtaV1poZFd4MApMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBjQU1FUUNJRzR5V1FQYitFb3hYNEdhCjd2SHFaa05NTU5JK0FrSlRVMWVlaHRqNTJVUjRBaUJnei82ZUxsUnp4b2N1QzBrMHlab3lmaHRKVTZsMTcyaEQKeVhkZDZ4T29BUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=\",\"usages\":[\"digital signature\",\"key encipherment\",\"server auth\"]}}\n"
        },
        "creationTimestamp": "2020-11-25T17:12:05Z",
        "managedFields": [
            {
                "apiVersion": "certificates.k8s.io/v1beta1",
                "fieldsType": "FieldsV1",
                "fieldsV1": {
                    "f:metadata": {
                        "f:annotations": {
                            ".": {},
                            "f:kubectl.kubernetes.io/last-applied-configuration": {}
                        }
                    },
                    "f:spec": {
                        "f:request": {},
                        "f:signerName": {},
                        "f:usages": {}
                    }
                },
                "manager": "kubectl-client-side-apply",
                "operation": "Update",
                "time": "2020-11-25T17:12:05Z"
            },
            {
                "apiVersion": "certificates.k8s.io/v1",
                "fieldsType": "FieldsV1",
                "fieldsV1": {
                    "f:status": {
                        "f:certificate": {}
                    }
                },
                "manager": "kube-controller-manager",
                "operation": "Update",
                "time": "2020-11-25T17:12:24Z"
            },
            {
                "apiVersion": "certificates.k8s.io/v1",
                "fieldsType": "FieldsV1",
                "fieldsV1": {
                    "f:status": {
                        "f:conditions": {
                            ".": {},
                            "k:{\"type\":\"Approved\"}": {
                                ".": {},
                                "f:lastTransitionTime": {},
                                "f:lastUpdateTime": {},
                                "f:message": {},
                                "f:reason": {},
                                "f:status": {},
                                "f:type": {}
                            }
                        }
                    }
                },
                "manager": "kubectl",
                "operation": "Update",
                "time": "2020-11-25T17:12:24Z"
            }
        ],
        "name": "whoami.default",
        "resourceVersion": "36895",
        "selfLink": "/apis/certificates.k8s.io/v1/certificatesigningrequests/whoami.default",
        "uid": "8056a082-fe36-4488-9eb7-ade8366b305f"
    },
    "spec": {
        "groups": [
            "system:masters",
            "system:authenticated"
        ],
        "request": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkl6Q0J5d0lCQURBck1Ta3dKd1lEVlFRREV5QjNhRzloYldrdVpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbApjaTVzYjJOaGJEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJCWG1mblB2WHlwdHVGR0F2UVAwCnE4Q0VhMG1xeDRsUUFWeVZwVThWZVgrUDBTb3JWMGtUK2pmbENQM1QyRWpvNWhRa2RtclRqSUdiOGg5QkNjT0UKUG9XZ1BqQThCZ2txaGtpRzl3MEJDUTR4THpBdE1Dc0dBMVVkRVFRa01DS0NJSGRvYjJGdGFTNWtaV1poZFd4MApMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBjQU1FUUNJRzR5V1FQYitFb3hYNEdhCjd2SHFaa05NTU5JK0FrSlRVMWVlaHRqNTJVUjRBaUJnei82ZUxsUnp4b2N1QzBrMHlab3lmaHRKVTZsMTcyaEQKeVhkZDZ4T29BUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=",
        "signerName": "kubernetes.io/legacy-unknown",
        "usages": [
            "digital signature",
            "key encipherment",
            "server auth"
        ],
        "username": "docker-for-desktop"
    },
    "status": {
        "certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNZakNDQVVxZ0F3SUJBZ0lSQU1xblBlV0sxNWNtQWJjeWlDNlh6ZkV3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURFeE1qVXhOekEzTWpSYUZ3MHlNVEV4TWpVeApOekEzTWpSYU1Dc3hLVEFuQmdOVkJBTVRJSGRvYjJGdGFTNWtaV1poZFd4MExuTjJZeTVqYkhWemRHVnlMbXh2ClkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVGZVorYys5ZkttMjRVWUM5QS9TcndJUnIKU2FySGlWQUJYSldsVHhWNWY0L1JLaXRYU1JQNk4rVUkvZFBZU09qbUZDUjJhdE9NZ1p2eUgwRUp3NFEraGFOaQpNR0F3RGdZRFZSMFBBUUgvQkFRREFnV2dNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01CTUF3R0ExVWRFd0VCCi93UUNNQUF3S3dZRFZSMFJCQ1F3SW9JZ2QyaHZZVzFwTG1SbFptRjFiSFF1YzNaakxtTnNkWE4wWlhJdWJHOWoKWVd3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDeEZUT1NHbFYxS2o4bGphQWw3bFVWK3lTRHlGMGZGbC9IQQo1bXRhZmlBVnZUS2xoU3MycU9Kc1ZyRmZ1VGtoajE4SDdxOG5OYjNJdUVlTk85UTJUeGp3T25CSGlRR2I0clpwCk9QWFd0TUxOazc0TmVEaVZPbHJSZTd1dTNSTTNnck00OEh4MjlCaVlFNm5TVTB0d2FzRDl2Ym9SMUswbXlLVFAKTDJFdGt2LytWVXRIR1VFTmxxbk9GN1dsMGxsWmpUY1Q5cFlKZXVLN0hZek11SjNqNkR4RjVzNUJBcDV6SXVEagphYUdhRFpaVGY2Qk8xbjFrdElMWlBScGVCNmRBNk1zaTduUFdSZTgwbXdubFVqbVZRVk4rTjJSN09NNjZyZVAzCjRkN1l2NldKZmZJYUVXSjBhQmpESERKQmtkR0lPZk0vY2svQTAyTnBjWDRsbCt5T1dEST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
        "conditions": [
            {
                "lastTransitionTime": "2020-11-25T17:12:24Z",
                "lastUpdateTime": "2020-11-25T17:12:24Z",
                "message": "This CSR was approved by kubectl certificate approve.",
                "reason": "KubectlApprove",
                "status": "True",
                "type": "Approved"
            }
        ]
    }
}

In status you find the certificate