Incorrect make command in https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#securing-the-service

[gireeshp]

This is a Bug Report

Problem:
The section Securing the service shows a make command:

make keys secret KEY=/tmp/nginx.key CERT=/tmp/nginx.crt SECRET=/tmp/secret.json
kubectl apply -f /tmp/secret.json

But the first command fails with error: make: *** No rule to make target ``secret'. Stop.. And so the secret isn't created.

As per the documentation, the make file is from nginx https example and in this Makefile, there is no target "Secret".

Proposed Solution:
As per the README of nginx https example, the above commands should be modified as:

make keys KEY=/tmp/nginx.key CERT=/tmp/nginx.crt
kubectl create secret tls nginxsecret --key /tmp/nginx.key --cert /tmp/nginx.crt

This works.

Page to Update:
https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#securing-the-service

[sftim]

/kind bug
/priority backlog

[gireeshp]

PR for this (#17599 ) is merged & closed. Hence closing this issue.

[gireeshp]

Though the make command & secret creation worked after the above change, the POD is going to CrashLoopBackOff when using this secret.

(base) Gireeshs-MacBook-Pro:https-nginx gireesh$ make keys KEY=/tmp/nginx.key CERT=/tmp/nginx.crt
# The CName used here is specific to the service specified in nginx-app.yaml.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/nginx.key -out /tmp/nginx.crt -subj "/CN=nginxsvc/O=nginxsvc"
Generating a RSA private key
...............................+++++
...........................................+++++

(base) Gireeshs-MacBook-Pro:https-nginx gireesh$ kubectl create secret tls nginxsecret --key /tmp/nginx.key --cert /tmp/nginx.crt
secret/nginxsecret created

(base) Gireeshs-MacBook-Pro:https-nginx gireesh$ kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-llb2g   kubernetes.io/service-account-token   3      91s
nginxsecret           kubernetes.io/tls                     2      10s

(base) Gireeshs-MacBook-Pro:k8-try-out gireesh$ kubectl create -f nginx-secure-app.yaml 
service/my-nginx created
deployment.apps/my-nginx created

(base) Gireeshs-MacBook-Pro:k8-try-out gireesh$ kubectl get pods
NAME                        READY   STATUS             RESTARTS   AGE
my-nginx-685744944d-fv7rr   0/1     CrashLoopBackOff   2          57s

(base) Gireeshs-MacBook-Pro:k8-try-out gireesh$ kubectl logs my-nginx-685744944d-fv7rr
2019/11/19 13:20:33 [emerg] 1#1: BIO_new_file("/etc/nginx/ssl/nginx.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/nginx.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] BIO_new_file("/etc/nginx/ssl/nginx.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/nginx.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)

But when the secret is created using the yaml (from the alternate option given here), everything works fine. When the secret is created using the "kubectl create secret" command, the above error occurs.

Any suggestions? Reopening the issue.

[gireeshp]

@sftim @tengqm any suggestions on what's the issue with "kubectl create secret" command? and why it is working fine when tried using yaml?

[sftim]

Not sure I'll have time to look at this for a while

[tengqm]

@gireeshp If fix #17810 works for you, please close this one.

[gireeshp]

This change worked for me and the container got created too without any issues. I'm closing this issue.
However, there's a minor change needed to make it complete, I guess. I'll comment the same against the PR.