x509: certificate relies on legacy Common Name field

[myspotontheweb]

Describe the bug/feature

Mutating webhook throws the following error when submitting the valid nginx example:

$ kubectl apply -f tests/k8s/nginx_deployment.yml
Error from server (InternalError): error when creating "tests/k8s/nginx_deployment.yml": Internal error occurred: failed calling webhook "tesoro-admission-controller.tesoro.svc": Post "https://tesoro-admission-controller.tesoro.svc:443/mutate?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

To Reproduce

I am evaluating Tesoro so was following the instructions:

1. Use latest version of minikube to start a cluster

$ minikube start
😄  minikube v1.15.1 on Ubuntu 18.04
✨  Using the docker driver based on user configuration
👍  Starting control plane node minikube in cluster minikube
🔥  Creating docker container (CPUs=2, Memory=3900MB) ...
🐳  Preparing Kubernetes v1.19.4 on Docker 19.03.13 ...
🔎  Verifying Kubernetes components...
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

2. Clone the tesoro

git clone git@github.com:kapicorp/tesoro.git

3. Run the commands in the instructions

kubectl apply -f k8s/clusterrole.yaml
kubectl apply -f k8s/clusterrolebinding.yaml
kubectl apply -f k8s/tesoro_namespace.yaml
kubectl -n tesoro apply -f k8s/tesoro_secret.yaml
kubectl -n tesoro apply -f k8s/tesoro_service.yaml
kubectl -n tesoro apply -f k8s/tesoro_deployment.yaml

Wait for pods to start

kubectl apply -f k8s/tesoro_mutatingwebhook.yaml

Test failed

$ kubectl apply -f tests/k8s/nginx_deployment.yml
Error from server (InternalError): error when creating "tests/k8s/nginx_deployment.yml": Internal error occurred: failed calling webhook "tesoro-admission-controller.tesoro.svc": Post "https://tesoro-admission-controller.tesoro.svc:443/mutate?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Expected behavior

Expected example to work

[myspotontheweb]

Looks like this is an issue with the v1.19 release of Kubernetes. Repeating the example with v1.18 worked as expected.

minikube start --driver docker --kubernetes-version=v1.18.12

Looks

• Kubernetes is now built with golang 1.15.0-rc.1 #93264

[ademariag]

I will take a look right away, thank you for the amazingly detailed issue report :)

[ademariag]

kapicorp/kapitan-reference#37
I have fixed the template we use to generate the certificates

I will upload soon the corrected example files.

[ademariag]

@ramaro my suggestion would be for the manifests here to match the ones from https://github.com/kapicorp/kapitan-reference/tree/master/compiled/tesoro, so that we can make it easier to regenerate.

In kapitan-reference I have used the name tesoro instead of tesoro-admission-controller for the webhook and the service (and the DNS name). Do you mind?

Also I have everything bundled up in a file instead of individual files for easier deployment.

Happy to generate ad-hoc certificates for the current naming you have in place, but I think we should direct people to kapitan-reference anyway.

What do you think?
See: #23

[ademariag]

meanwhile @myspotontheweb feel free to use the https://github.com/kapicorp/kapitan-reference/tree/master/compiled/tesoro version that should be also much easier to install (see kapicorp/kapitan-reference#37)

[ademariag]

hey @myspotontheweb , on this issue, I remember you suggested a much better approach at the time, but I cannot find where you wrote the suggestions. Did you remove the comment or did you write it somewhere else? on Slack perhaps?