Error running kubeadm init creating secret

[mikedanese]

The bootstrap secret name seems to be invalid?

Jan  7 03:14:05 ubuntu startupscript: [apiclient] All control plane components are healthy after 440.821862 seconds
Jan  7 03:14:05 ubuntu startupscript: [apiclient] Waiting for at least one node to register and become ready
Jan  7 03:14:06 ubuntu startupscript: [apiclient] First node is ready after 0.507315 seconds
Jan  7 03:14:06 ubuntu startupscript: [apiclient] Creating a test deployment
Jan  7 03:14:11 ubuntu startupscript: [apiclient] Test deployment succeeded
Jan  7 03:14:11 ubuntu startupscript: [token-discovery] Using token: 97C8F0.DE9BBD4B6667FD83
Jan  7 03:14:11 ubuntu startupscript: [token-discovery] Created the kube-discovery deployment, waiting for it to become ready
Jan  7 03:14:20 ubuntu startupscript: [token-discovery] kube-discovery is ready after 9.503152 seconds
Jan  7 03:14:20 ubuntu startupscript: <util/tokens> unable to create bootstrap token after 5 attempts [Secret "bootstrap-token-97C8F0" is invalid: metadata.name: Invalid value: "bootstrap-token-97C8F0": a valid DNS (RFC 1123) subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')]

cc @dgoodwin

[pires]

AFAIK DNS is case-insensitive.

[dgoodwin]

What would one need to do to reproduce this? I can't hit it with latest unstable packages or a freshly compiled master kubeadm, do I need a new apiserver image of some version to see it?

Anyone know how a secret metadata name would be getting treated like a URL?

[mikedanese]

kubeadm init --discovery token://16FD93:197371CBC77DF196@ --api-port 443 --skip-preflight-checks --api-advertise-addresses 104.155.191.223 --use-kubernetes-version v1.6.0-alpha

And the error is coming from here:

https://github.com/kubernetes/kubernetes/blob/1f2a2f13d8217f8ce7edf02295ec236d789dc5c1/cmd/kubeadm/app/cmd/init.go#L248-L250

[mikedanese]

@pires is right, the problem is the capitalization of the 97C8F0.

[pires]

@mikedanese should we fix this or lowercase the token?

I can take care of this if no one else is already.

[pires]

Found the culprit, kubernetes/kubernetes#38090.

[thockin]

just generate lowe-case randoms, please? In fact, you should use https://github.com/kubernetes/kubernetes/blob/master/pkg/util/rand/rand.go#L79

[luxas]

Yes, dns labels in k8s should always be lowercase, and kubeadm should do that as well.

@pires Please just make kubeadm use/convert to lowercase tokens.

[pires]

I'm ok with lower-casing the token but I'm not sure we should enforce tokens without vowels. Waiting on @mikedanese feedback before proceeding.

[luxas]

@pires Vowels are ok for the validation, it's just the random method that @thockin suggested that doesn't generate such strings. We already have the token generator, so the only thing we have to do is to lowercase the token in all cases.

[thockin]

I don't know what you're doing with this token - the function I linked to is for human-facing strings, mostly.

…

On Mon, Jan 9, 2017 at 1:14 PM, Lucas Käldström ***@***.***> wrote: @pires <https://github.com/pires> Vowels are ok for the validation, it's just the random method that @thockin <https://github.com/thockin> suggested that doesn't generate such strings. We already have the token generator, so the only thing we have to do is to lowercase the token in all cases. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#104 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFVgVN3WOfZxi8ugcRsS8xOpQgs-uH2Mks5rQqM9gaJpZM4LdUF1> .

[luxas]

Yes, I read the totally reasonable issue about and fix for not having vowels in user-facing generated strings :)

@thockin The token is kind of a password for being able to authenticate from a node to a master before knowing about or trusting the CA certs. Then a JWS flow follows. See https://github.com/kubernetes/community/blob/master/contributors/design-proposals/bootstrap-discovery.md for more info

[thockin]

If it is meant to be cut-and-pasted, that's fine. If it is meant to be read and typed by humans, we have another PR in flight that purports to make more phonetic random names.

…

On Mon, Jan 9, 2017 at 1:37 PM, Lucas Käldström ***@***.***> wrote: Yes, I read the totally reasonable issue about and fix for not having vowels in user-facing generated strings :) @thockin <https://github.com/thockin> The token is kind of a password for being able to authenticate from a node to a master before knowing about or trusting the CA certs. Then a JWS flow follows. See https://github.com/kubernetes/community/blob/master/ contributors/design-proposals/bootstrap-discovery.md for more info — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#104 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFVgVKqvw-FUJj92BioaYom1NH7VVtJNks5rQqiegaJpZM4LdUF1> .

[luxas]

@thockin Cut-and-pasted