0
votes

I have deployed a Kubernetes cluster in google cloud and trying to access it using the Kubernetes NodeJS API, a kubernetes client.

To do so, we need to authenticate with cluster. I tried using just the Username and Password method. I get the following error:

{ [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }

Then I tried the authentication using the CAcert, ClientCert and ClientKey. I basically hardcoded the keys instead of importing it from the files. I am calling this API from a Lambda function, where I cant store the certs in files. Doing so, I get the below error:

[Error: error:0906D06C:PEM routines:PEM_read_bio:no start line]

My intuition is authentication is possible only with keys. But I think I am doing something wrong with the certs. Do I need to create some other certificates out of this or is the method of using the certs is wrong ?

Answer:

See the Robert Bailey's comment. I was missing the Base64 thing. Adding that, I could successfully authenticate to the kubernetes cluster and display and deploy new pods, etc.,

1

1 Answers

1
votes

To do so, we need to authenticate with cluster. I tried using just the Username and Password method. I get the following error:

Looking at the NodeJS client, I don't see a way to provide the cluster CA certificate along with the username and password, so unless you set strictSSL to false this error message seems reasonable (your system is saying that it doesn't trust the certificate presented by the server, which is correct because it is a self-signed certificate authority). You may be able to work around this by installing the cluster CA certificate into your system certificate root store, but using a different authentication method (and filing a bug against the NodeJS client) seems preferable.

Then I tried the authentication using the CAcert, ClientCert and ClientKey. I basically hardcoded the keys instead of importing it from the files.

Did you also try importing files (for comparison)? It looks like this is a parsing error with the way that you are specifying the PEM blocks, and the libraries may do a better job reading the blocks from files instead of inline data.

My intuition is authentication is possible only with keys. But I think I am doing something wrong with the certs. Do I need to create some other certificates out of this or is the method of using the certs is wrong ?

Authentication should be possible with the username / password or the client keys. The NodeJS library also allows you to point to a kubeconfig file, which should allow you to specify the username / password along with the cluster CA certificate so that you can securely connect to the API endpoint if you want to use basic auth credentials.