Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

This is a potential bug, as a) it doesn't match the service expectations; b) it doesn't happen with any previous EKS version; c) it works as expected on other, non-EKS 1.21s.

Essentially, upon submitting a Certificate Signing Request, EKS 1.21 is returning success but not including the certificate in the CSR's .status.certificate field. To reproduce please try to run:

cd /tmp
cat <<EOF | cfssl genkey - | cfssljson -bare server
{
  "hosts": [
    "label-demo",
    "label-demo.default",
    "label-demo.default.svc",
    "label-demo.default.svc.cluster.local"
  ],
  "CN": "system:node:label-demo.default.svc",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "O": "system:nodes"
    }
  ]
}
EOF

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: label-demo
spec:
  request: $(cat /tmp/server.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kubelet-serving
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

The issue was discovered and documented in detail as part of the StackGres project. Please refer to the issue there for completeness.