EasyRSA for Dynamic Admission Controller fails

./easyrsa --subject-alt-name=couchbase-operator-admission.operator-admission.svc build-server-full couchbase-admission-controller nopass
Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018
Trying to figure out how to TLS the kubernetes cluster…and having difficulty with this part trying to generate the dynamic admission controller.
First question, is why is this needed when it’s not reference in the operator specific documentation (https://docs.couchbase.com/operator/current/reference-couchbasecluster.html#spec-networking-tls)?
And how does this one get defined in the operator?
If it’s not needed, why is it documented here?

./easyrsa --subject-alt-name=couchbase-operator-admission.operator-admission.svc build-server-full couchbase-admission-controller nopass

Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018
Error Loading request extension section req_extra
140197617070528:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:…/crypto/x509v3/v3_alt.c:512:
140197617070528:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:…/crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=couchbase-operator-admission.operator-admission.svc

Easy-RSA error:

Failed to generate request

99% of people will not need to generate certificates for the DAC, they are automatically generated but the cbopcfg generate admission command (that’s the 2.1 version). It’s certainly not required for a Couchbase cluster resource, so you can ignore it.

The other 1% or people, will either need to generate certificates by hand, or use a 3rd party controller like cert-manager for security compliance. That’s why it’s documented; so they know how to configure it.

gotcha, thanks, perhaps a note in the docs would make it more clear that this is an edge case and most probably won’t need to do this…

I’m actually in the area, adding in support for kubernetes.io/tls type secrets, and – hallelujah – PKCS#8 support, consider it done!