kubectl-证书管理器-找不到凭据

时间:2018-07-06 06:02:54

标签: google-cloud-platform google-kubernetes-engine kubernetes-ingress

我想在google cloud平台上的入口(在kubernetes上)启用TLS终止。

我的入口群集正在运行,我的证书管理器失败并显示错误消息

textPayload:  "2018/07/05 22:04:00 Error while processing certificate during sync: Error while creating ACME client for 'domain': Error while initializing challenge provider googlecloud: Unable to get Google Cloud client: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: open /opt/google/kube-cert-manager.json: no such file or directory
"

这是我为了进入当前状态所做的事情:

  • 创建集群,部署,服务,入口

  • 已执行:

    gcloud --project'project'iam服务帐户创建kube-cert-manager-sv-security --display-name“ kube-cert-manager-sv-security”

    gcloud --project'project'iam服务帐户密钥创建〜/ .config / gcloud / kube-cert-manager-sv-security.json --iam-account kube-cert-manager-sv-security @'项目'.iam.gserviceaccount.com

    gcloud --project'project'项目add-iam-policy-binding-成员serviceAccount:kube-cert-manager-sv-security@'project'.iam.gserviceaccount.com --role role / dns.admin

    kubectl创建秘密的通用kube-cert-manager-sv-security-secret --from-file = / home / perre / .config / gcloud / kube-cert-manager-sv-security.json

    < / li>

并创建了以下资源:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: kube-cert-manager-sv-security-data
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi

apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-cert-manager-sv-security
  namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
    name: kube-cert-manager-sv-security
rules:
  - apiGroups: ["*"]
    resources: ["certificates", "ingresses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["*"]
    resources: ["secrets"]
    verbs: ["get", "list", "create", "update", "delete"]
  - apiGroups: ["*"]
    resources: ["events"]
    verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: kube-cert-manager-sv-security-service-account
subjects:
  - kind: ServiceAccount
    namespace: default
    name: kube-cert-manager-sv-security
roleRef:
  kind: ClusterRole
  name: kube-cert-manager-sv-security
  apiGroup: rbac.authorization.k8s.io
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: certificates.stable.k8s.psg.io
spec:
  scope: Namespaced
  group: stable.k8s.psg.io
  version: v1
  names:
    kind: Certificate
    plural: certificates
    singular: certificate
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: kube-cert-manager-sv-security
  name: kube-cert-manager-sv-security
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: kube-cert-manager-sv-security
      name: kube-cert-manager-sv-security
    spec:
      serviceAccount: kube-cert-manager-sv-security
      containers:
        - name: kube-cert-manager
          env:
          - name: GCE_PROJECT
            value: solidair-vlaanderen-207315
          - name: GOOGLE_APPLICATION_CREDENTIALS
            value: /opt/google/kube-cert-manager.json
          image: bcawthra/kube-cert-manager:2017-12-10
          args:
            - "-data-dir=/var/lib/cert-manager-sv-security"
            #- "-acme-url=https://acme-staging.api.letsencrypt.org/directory"
            # NOTE: the URL above points to the staging server, where you won't get real certs.
            # Uncomment the line below to use the production LetsEncrypt server:
            - "-acme-url=https://acme-v01.api.letsencrypt.org/directory"
            # You can run multiple instances of kube-cert-manager for the same namespace(s),
            # each watching for a different value for the 'class' label
            - "-class=kube-cert-manager"
            # You can choose to monitor only some namespaces, otherwise all namespaces will be monitored
            #- "-namespaces=default,test"
            # If you set a default email, you can omit the field/annotation from Certificates/Ingresses
            - "-default-email=viae.it@gmail.com"
            # If you set a default provider, you can omit the field/annotation from Certificates/Ingresses
            - "-default-provider=googlecloud"
          volumeMounts:
            - name: data-sv-security
              mountPath: /var/lib/cert-manager-sv-security
            - name: google-application-credentials
              mountPath: /opt/google
      volumes:
        - name: data-sv-security
          persistentVolumeClaim:
            claimName: kube-cert-manager-sv-security-data
        - name: google-application-credentials
          secret:
            secretName: kube-cert-manager-sv-security-secret

有人知道我想念什么吗?

1 个答案:

答案 0 :(得分:0)

您的秘密资源select = element.all(by.tagName('ng-select')).get(0); select = element.all(by.tagName('ng-select')).get(1); 可能包含一个名为kube-cert-manager-sv-security-secret的JSON文件,并且与kube-cert-manager-sv-security.json的值不匹配。您可以使用GOOGLE_APPLICATION_CREDENTIALS在机密资源中确认文件名。

因此,您将文件路径更改为实际的文件名,cert-manager可以正常工作。

kubectl get secret -oyaml YOUR-SECRET-NAME
相关问题
最新问题