I m trying to use `tls SelfSignedCert` to issue an mtls cert Pulumi Community #typescript

I'm trying to use *`tls.SelfSignedCert`* to issue ...

busy-journalist-6936

02/24/2022, 12:51 AM

I'm trying to use tls.SelfSignedCert
to issue an mtls certificate used between a few pods. It feels like I'm close, but I'm getting the following error. I guess perhaps I need to b64 decode the

Copy code

Diagnostics:
  kubernetes:core/v1:Secret (kong-cluster-cert):
    error: Preview failed: resource kong/kong-kong-cluster was not successfully created by the Kubernetes API server : Secret in version "v1" cannot be handled as a Secret: illegal base64 data at input byte 0

And it seems these would be the problematic lines in question.

Copy code

data: {
        "tls.crt": kongClusterCert.certPem,
        "tls.key": kongClusterCert.privateKeyPem,

Snippet:

Copy code

//// Issue certificate for kong cluster mtls
const kongClusterKey = new tls.PrivateKey(`${name}-cluster-mtls-pkey`, {
  algorithm: "RSA",
  rsaBits: 2048,
});

const kongClusterCert = new tls.SelfSignedCert(`${name}-cluster-mtls-cert`, {
  privateKeyPem: kongClusterKey.privateKeyPem,
  allowedUses: [
    "keyEncipherment",
    "digitalSignature",
    "serverAuth",
    "cert_signing",
    "crl_signing",
  ],
  keyAlgorithm: kongClusterKey.algorithm,
  subjects: [{ commonName: 'kong_clustering' }],
  dnsNames: ['kong_clustering'],
  validityPeriodHours: 4870,
  isCaCertificate: false,
},{
    parent: kongClusterKey,
});

// TODO: Consider Rotation Strategy
const secretKongClusterCert = new k8s.core.v1.Secret(`${name}-cluster-cert`, {
    apiVersion: "v1",
    kind: "Secret",
    type: "tls",
    metadata: {
        name: "kong-kong-cluster",
        namespace: "kong",
    },
    data: {
        "tls.crt": kongClusterCert.certPem,
        "tls.key": kongClusterCert.privateKeyPem,
    },
}, {
    dependsOn: [
        nsKong,
    ],
    parent: kongClusterCert,
    provider: kubeconfig,
});

busy-journalist-6936

02/24/2022, 12:51 AM

🧵

wonderful-twilight-70958

02/24/2022, 1:12 AM

use

stringData

wonderful-twilight-70958

02/24/2022, 1:12 AM

Or b64 encode them

wonderful-twilight-70958

02/24/2022, 1:12 AM

stringData

easier though 😛

busy-journalist-6936

02/24/2022, 1:13 AM

just flipped it to stringData to blindly test without understanding what I effectively did. lol.

busy-journalist-6936

02/24/2022, 1:13 AM

reading about the differences now

wonderful-twilight-70958

02/24/2022, 1:13 AM

stringData allows you to input as txt, then k8s will encode for you

🙌 1

wonderful-twilight-70958

02/24/2022, 1:13 AM

still ends up encoded

busy-journalist-6936

02/24/2022, 1:13 AM

magic!

busy-journalist-6936

02/24/2022, 1:15 AM

the message was weird to read though, I literally tried to decode them thinking they were b64 encoded already and it was getting a double encoding or something

31 Views

Open in Slack

Previous Next