google-cloud-platform - kubectl - 证书管理器 - 未找到凭据
问题描述
我想在谷歌云平台上的入口(在 kubernetes 之上)启用 TLS 终止。
我的入口集群正在工作,我的证书管理器失败并显示错误消息
textPayload: "2018/07/05 22:04:00 Error while processing certificate during sync: Error while creating ACME client for 'domain': Error while initializing challenge provider googlecloud: Unable to get Google Cloud client: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: open /opt/google/kube-cert-manager.json: no such file or directory
"
这是我为了进入当前状态所做的:
- 创建集群、部署、服务、入口
执行:
gcloud --project 'project' iam service-accounts create kube-cert-manager-sv-security --display-name "kube-cert-manager-sv-security"
gcloud --project 'project' iam service-accounts 密钥创建 ~/.config/gcloud/kube-cert-manager-sv-security.json --iam-account kube-cert-manager-sv-security@'project'。 iam.gserviceaccount.com
gcloud --project 'project' 项目 add-iam-policy-binding --member serviceAccount:kube-cert-manager-sv-security@'project'.iam.gserviceaccount.com --role roles/dns.admin
kubectl 创建秘密通用 kube-cert-manager-sv-security-secret --from-file=/home/perre/.config/gcloud/kube-cert-manager-sv-security.json
并创建了以下资源:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kube-cert-manager-sv-security-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-cert-manager-sv-security
namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kube-cert-manager-sv-security
rules:
- apiGroups: ["*"]
resources: ["certificates", "ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
resources: ["secrets"]
verbs: ["get", "list", "create", "update", "delete"]
- apiGroups: ["*"]
resources: ["events"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kube-cert-manager-sv-security-service-account
subjects:
- kind: ServiceAccount
namespace: default
name: kube-cert-manager-sv-security
roleRef:
kind: ClusterRole
name: kube-cert-manager-sv-security
apiGroup: rbac.authorization.k8s.io
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificates.stable.k8s.psg.io
spec:
scope: Namespaced
group: stable.k8s.psg.io
version: v1
names:
kind: Certificate
plural: certificates
singular: certificate
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: kube-cert-manager-sv-security
name: kube-cert-manager-sv-security
spec:
replicas: 1
template:
metadata:
labels:
app: kube-cert-manager-sv-security
name: kube-cert-manager-sv-security
spec:
serviceAccount: kube-cert-manager-sv-security
containers:
- name: kube-cert-manager
env:
- name: GCE_PROJECT
value: solidair-vlaanderen-207315
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /opt/google/kube-cert-manager.json
image: bcawthra/kube-cert-manager:2017-12-10
args:
- "-data-dir=/var/lib/cert-manager-sv-security"
#- "-acme-url=https://acme-staging.api.letsencrypt.org/directory"
# NOTE: the URL above points to the staging server, where you won't get real certs.
# Uncomment the line below to use the production LetsEncrypt server:
- "-acme-url=https://acme-v01.api.letsencrypt.org/directory"
# You can run multiple instances of kube-cert-manager for the same namespace(s),
# each watching for a different value for the 'class' label
- "-class=kube-cert-manager"
# You can choose to monitor only some namespaces, otherwise all namespaces will be monitored
#- "-namespaces=default,test"
# If you set a default email, you can omit the field/annotation from Certificates/Ingresses
- "-default-email=viae.it@gmail.com"
# If you set a default provider, you can omit the field/annotation from Certificates/Ingresses
- "-default-provider=googlecloud"
volumeMounts:
- name: data-sv-security
mountPath: /var/lib/cert-manager-sv-security
- name: google-application-credentials
mountPath: /opt/google
volumes:
- name: data-sv-security
persistentVolumeClaim:
claimName: kube-cert-manager-sv-security-data
- name: google-application-credentials
secret:
secretName: kube-cert-manager-sv-security-secret
有谁知道我错过了什么?
解决方案
您的秘密资源kube-cert-manager-sv-security-secret
可能包含一个名为的 JSON 文件kube-cert-manager-sv-security.json
,但它与GOOGLE_APPLICATION_CREDENTIALS
值不匹配。您可以使用 确认秘密资源中的文件名kubectl get secret -oyaml YOUR-SECRET-NAME
。
因此,您将文件路径更改为实际文件名,cert-manager 工作正常。
- name: GOOGLE_APPLICATION_CREDENTIALS
# value: /opt/google/kube-cert-manager.json
value: /opt/google/kube-cert-manager-sv-security.json
推荐阅读
- python - 使用 python 包发布 Azure 函数
- javascript - Firebase 交易会不会出错?
- java - 通过持久属性的反射访问字段 [private java.lang.String com.example.demo.Student.firstName] 时出现休眠错误
- c# - C# 中的计时器在几个小时后停止触发事件
- javascript - 如何将一个包含数组的对象拆分为多个对象
- sql - 更新同一张表时发生死锁 - SQL
- c# - 如何从 autofac 范围内获取相同的实例?
- python - subprocess.Popen(cl, ..., shell=True) 不像 shell 命令转发器那样工作
- laravel - 将 Laravel vue 应用程序导入 nativescript vue
- ffmpeg - 如何使用ffmpeg将带有两个切片包的捕获视频流转换为带有一个切片包的传输流?