Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Question] Authenticating Kubernetes API(NodeJS) client using certificate not successful

See original GitHub issue

I know this issue is not related to the repo. I am just posting it as the question. To start with, thanks for the amazing repo.

I have deployed a Kubernetes cluster in google cloud and trying to access it using the your kubernetes client.

To do so, we need to authenticate with cluster. I tried using just the Username and Password method. I get the following error:

{ [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }

Then I tried the authentication using the CAcert, ClientCert and ClientKey. I basically hardcoded the keys instead of importing it from the files. I am calling this API from a Lambda function, where I cant store the certs in files. Doing so, I get the below error:

[Error: error:0906D06C:PEM routines:PEM_read_bio:no start line]

I specified my keys like this:

var kubeapi = K8s.api({
  "endpoint": "https://35.187.203.114",
  "version": "/api/v1",
  "auth": {
    "caCert": "LST****KIU",
    "clientCert": "LST****KIU",
    "clientKey": "LST****KIU"
  }
});

My intuition is, authentication is possible only with keys. But I think I am doing something wrong with the certs. Do I need to create some other certificates out of this or is the method of using the certs is wrong ?

Issue Analytics

State:
Created 6 years ago
Comments:5 (1 by maintainers)

Top GitHub Comments

2reactions

nullmu0commented, Apr 19, 2017

Here’s an example node-k8s-client/test/kubeapi.js

var kubeapi = K8s.api({
	endpoint: 'https://192.168.99.100:8443',
	version: '/api/v1',
	auth: {
		clientCert: fs.readFileSync(`${process.env.HOME}/.minikube/apiserver.crt`).toString(),
		clientKey: fs.readFileSync(`${process.env.HOME}/.minikube/apiserver.key`).toString() ,
		caCert: fs.readFileSync(`${process.env.HOME}/.minikube/ca.crt`).toString()
	}
})

1reaction

Overdrivrcommented, Apr 20, 2017

Thanks for the link, it’s exactly the info I was looking for !

I just realized that authentication is not consistent because node-k8s-client.kubectl calls the kubectl cli, that I used already “manually” and is properly configured, while node-k8s-client.api uses request to perform the http requests. Not the same stuff that runs and performs the authentication, hence, this discrepancy.

Top Results From Across the Web

Authenticating Kubernetes API(NodeJS) client using certificate ...

To do so, we need to authenticate with cluster. I tried using just the Username and Password method. I get the following error:....

Client Libraries | Kubernetes

This page contains an overview of the client libraries for using the Kubernetes API from various programming languages.

Authenticating | Kubernetes

Kubernetes uses client certificates, bearer tokens, or an authenticating proxy to authenticate API requests through authentication plugins.

Controlling Access to the Kubernetes API

If your cluster uses a private certificate authority, you need a copy of that CA certificate configured into your ~/.kube/config on the client, ......

PKI certificates and requirements - Kubernetes

If you install Kubernetes with kubeadm, the certificates that your ... Client certificates for the kubelet to authenticate to the API server ...