Skip to content

Handle Kubernetes 1.36 pod certificate requests#8

Merged
Benjamin Elder (BenTheElder) merged 2 commits into
agent-substrate:mainfrom
howardjohn:cert/fix-sign
May 20, 2026
Merged

Handle Kubernetes 1.36 pod certificate requests#8
Benjamin Elder (BenTheElder) merged 2 commits into
agent-substrate:mainfrom
howardjohn:cert/fix-sign

Conversation

@howardjohn

Copy link
Copy Markdown
Collaborator

Kubernetes 1.36 stopped putting the subject key in spec.pkixPublicKey for PodCertificateRequest and now sends a stub PKCS#10 request instead. The old controller parsed the deprecated field unconditionally, so new PCRs had pkixPublicKey=null and failed with an ASN.1 'sequence truncated' error before any certificate could be issued.

Add a shared helper that extracts the public key from spec.stubPKCS10Request first and falls back to spec.pkixPublicKey for older clusters. Both pod identity and service DNS signers use that path, so their behavior stays consistent across Kubernetes versions. Bump the Kubernetes dependencies to expose the new field and update controller-runtime to the matching generation.

Without this, the ate-system pod all fail to start due to missing certificates.

  • Tests pass
  • Appropriate changes to documentation are included in the PR

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks John! You can tell we've been testing with 1.35 in kind and GKE so far 😅

Comment thread .github/workflows/pr-workflow.yaml Outdated
Kubernetes 1.36 stopped putting the subject key in spec.pkixPublicKey for PodCertificateRequest and now sends a stub PKCS#10 request instead. The old controller parsed the deprecated field unconditionally, so new PCRs had pkixPublicKey=null and failed with an ASN.1 'sequence truncated' error before any certificate could be issued.

Add a shared helper that extracts the public key from spec.stubPKCS10Request first and falls back to spec.pkixPublicKey for older clusters. Both pod identity and service DNS signers use that path, so their behavior stays consistent across Kubernetes versions. Bump the Kubernetes dependencies to expose the new field and update controller-runtime to the matching generation.

Add focused tests for CSR extraction, PKIX fallback, and missing key material.
Comment thread hack/install-ate-kind.sh
@BenTheElder Benjamin Elder (BenTheElder) merged commit e1ff0ad into agent-substrate:main May 20, 2026
4 checks passed
Tim Hockin (thockin) pushed a commit that referenced this pull request May 20, 2026
Discussed this morning with other maintainers.

We know we need to test more with 1.36 (see #8), this is just the
declaration of intent to start.
@BenTheElder Benjamin Elder (BenTheElder) added the kind/bug Something isn't working / bugfixes label May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kind/bug Something isn't working / bugfixes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants