Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rustls cannot use client-key in EC Private Keys format #542

Closed
kazk opened this issue Jun 4, 2021 · 2 comments · Fixed by #804
Closed

rustls cannot use client-key in EC Private Keys format #542

kazk opened this issue Jun 4, 2021 · 2 comments · Fixed by #804
Labels
blocked awaiting upstream work client http issues with the client rustls rustls-tls related

Comments

@kazk
Copy link
Member

kazk commented Jun 4, 2021
edited

rustls does not support EC Private Key (rustls/rustls#332).
This prevents using rustls with k3d cluster (after working around #153). Note that in-cluster config is not affected by this.

A workaround is to use OpenSSL to convert to PKCS#8 and update the config.

Get the client-key-data for the cluster and confirm that it's EC Private Key:

# replace `k3d-dev` with the name of your cluster
kubectl config view \
    --raw \
    -o jsonpath='{.users[?(@.name == "admin@k3d-dev")].user.client-key-data}' \
| base64 -d
-----BEGIN EC PRIVATE KEY-----
................................................................
................................................................
.....................
-----END EC PRIVATE KEY-----

Convert to PKCS#8 with OpenSSL and update the config:

kubectl config view \
    --raw \
    -o jsonpath='{.users[?(@.name == "admin@k3d-dev")].user.client-key-data}' \
| base64 -d \
| openssl pkcs8 -topk8 -nocrypt \
| base64 -w0 \
| xargs -I{} kubectl config set users.admin@k3d-dev.client-key-data {}

Don't forget to also change server to use localhost for #153.

kubectl config view \
    --raw \
    -o jsonpath='{.clusters[?(@.name == "k3d-dev")].cluster.server}' \
| sed 's/0\.0\.0\.0/localhost/' \
| xargs -I{} kubectl config set clusers.k3d-dev.server {}
@kazk kazk added blocked awaiting upstream work rustls rustls-tls related labels Jun 4, 2021
@kazk kazk mentioned this issue Jun 4, 2021
Merged
@kazk kazk added the client http issues with the client label Jun 4, 2021
@olix0r
Copy link
Contributor

olix0r commented Oct 4, 2021
edited

This prevents using rustls with k3d cluster (after working around #153).

Interestingly, we're using kube-rs without issue on k3d (from within the cluster using service account tokens, not using the admin kubeconfig). Presumably, this is because in this case we use bearer auth to the API and don't need to parse PEM-formatted EC keys?

Though, we have users hitting this problem in other contexts: linkerd/linkerd2#7011

@olix0r olix0r mentioned this issue Oct 4, 2021
Closed
4 tasks
@kazk
Copy link
Member Author

kazk commented Oct 4, 2021
edited

from within the cluster using service account tokens, not using the admin kubeconfig

Workaround for #153 is no longer necessary for in-cluster connection since kube 0.59.0 because kubernetes.default.svc is used (#597).

Presumably, this is because in this case we use bearer auth to the API and don't need to parse PEM-formatted EC keys?

Yes

https://github.com/kube-rs/kube-rs/blob/50acf98ce7513809634d297392663539c06478c2/kube/src/client/tls.rs#L87-L90

Updated the issue to mention in-cluster config is not affected. Thanks.

@olix0r olix0r mentioned this issue Oct 19, 2021
Closed
@clux clux mentioned this issue Nov 4, 2021
Closed
@kazk kazk mentioned this issue Nov 11, 2021
Closed
This was referenced Dec 23, 2021
Merged
Merged
@viccuad viccuad mentioned this issue Jan 14, 2022
Closed
@kazk kazk linked a pull request Feb 5, 2022 that will close this issue
Add support for EC private keys #804
Merged
3 tasks
@clux clux closed this as completed in #804 Feb 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked awaiting upstream work client http issues with the client rustls rustls-tls related
Projects
Kube Roadmap
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for EC private keys farcaller/kube-rs
2 participants
@olix0r @kazk