Question

使用我的Terraform配置得到以下错误。

    Error: Post "https://35.224.178.141/api/v1/namespaces": x509: certificate signed by unknown authority

  on main.tf line 66, in resource "kubernetes_namespace" "example":
  66: resource "kubernetes_namespace" "example" {

这是我的配置，我现在要做的就是使用它创建一个集群身份验证，并创建一个命名空间。我已经搜索了所有人，却看不到其他人遇到此问题的地方。这很可能是我在做的蠢事。我以为这会相对简单，但事实证明这很痛苦。我不想在我的构建脚本中包装gcloud命令。

provider "google" {
  project = var.project
  region  = var.region
  zone    = var.zone
  credentials = "google-key.json"
}


terraform {
  backend "gcs" {
    bucket = "tf-state-bucket-devenv"
    prefix = "terraform"
    credentials = "google-key.json"
   }
}

resource "google_container_cluster" "my_cluster" {
  name     = var.kube-clustername
  location = var.zone
  remove_default_node_pool = true
  initial_node_count       = 1

  master_auth {
    username = ""
    password = ""

    client_certificate_config {
      issue_client_certificate = false
    }
  }
}

resource "google_container_node_pool" "primary_preemptible_nodes" {
  name       = var.kube-poolname
  location   = var.zone
  cluster    = google_container_cluster.my_cluster.name
  node_count = var.kube-nodecount

  node_config {
    preemptible  = var.kube-preemptible
    machine_type = "n1-standard-1"
    disk_size_gb = 10
    disk_type = "pd-standard"


    metadata = {
      disable-legacy-endpoints = "true",
    }

    oauth_scopes = [
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
    ]
  }
}
data "google_client_config" "provider" {}

provider "kubernetes" {
  load_config_file = false
  host = "https://${google_container_cluster.my_cluster.endpoint}"
  cluster_ca_certificate = "{base64decode(google_container_cluster.my_cluster.master_auth.0.cluster_ca_certificate)}"
  token = "{data.google_client_config.provider.access_token}"
}


resource "kubernetes_namespace" "example" {
  metadata {
    name = "my-first-namespace"
  }
}

Answer 1

TL; DR

将提供者定义更改为：

provider "kubernetes" {
  load_config_file = false
  host = "https://${google_container_cluster.my_cluster.endpoint}"
  cluster_ca_certificate = base64decode(google_container_cluster.my_cluster.master_auth.0.cluster_ca_certificate)
  token = data.google_client_config.provider.access_token
}

发生了什么变化？

"{}"已从cluster_ca_certificate和token值中删除

我在下面附上了说明。

我使用了原始的Terraform文件，但收到与您相同的错误。我修改（简化了）您的Terraform文件，并添加了输出定义：

resource "google_container_cluster" "my_cluster" {
  OMMITED 
}

data "google_client_config" "provider" {}

provider "kubernetes" {
  load_config_file = false
  host = "https://${google_container_cluster.my_cluster.endpoint}"
  cluster_ca_certificate = "{base64decode(google_container_cluster.my_cluster.master_auth.0.cluster_ca_certificate)}"
  token = "{data.google_client_config.provider.access_token}"
}


output "cert" {
  value = "{base64decode(google_container_cluster.my_cluster.master_auth.0.cluster_ca_certificate)}"
}

output "token" {
  value = "{data.google_client_config.provider.access_token}"
}

运行上面的文件显示：

$ terraform apply --auto-approve

data.google_client_config.provider: Refreshing state...
google_container_cluster.my_cluster: Creating...
google_container_cluster.my_cluster: Creation complete after 2m48s [id=projects/PROJECT-NAME/locations/europe-west3-c/clusters/gke-terraform]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

cert = {base64decode(google_container_cluster.my_cluster.master_auth.0.cluster_ca_certificate)}
token = {data.google_client_config.provider.access_token}

如您所见，这些值被解释为提供者提供的字符串，而不是“处理”以获得所需的值。要解决此问题，您需要将提供程序定义更改为：

  cluster_ca_certificate = base64decode(google_container_cluster.my_cluster.master_auth.0.cluster_ca_certificate)
  token = data.google_client_config.provider.access_token

再次运行$ terraform apply --auto-approve：

data.google_client_config.provider: Refreshing state...
google_container_cluster.my_cluster: Creation complete after 3m18s [id=projects/PROJECT-NAME/locations/europe-west3-c/clusters/gke-terraform]
kubernetes_namespace.example: Creating...
kubernetes_namespace.example: Creation complete after 0s [id=my-first-namespace]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Outputs:

cert = -----BEGIN CERTIFICATE-----
MIIDKzCCAhOgAwIBAgIRAO2bnO3FU6HZ0T2u3XBN1jgwDQYJKoZIhvcNAQELBQAw
<--OMMITED-->
a9Ybow5tZGu+fqvFHnuCg/v7tln/C3nVuTbwa4StSzujMsPxFv4ONVl4F4UaGw0=
-----END CERTIFICATE-----

token = ya29.a0AfH6SMBx<--OMMITED-->fUvCeFg

您可以看到名称空间已创建。您可以通过运行以下命令进行检查：

$ gcloud container clusters get-credentials CLUSTER-NAME --zone=ZONE
$ kubectl get namespace my-first-namespace

输出：

NAME                 STATUS   AGE
my-first-namespace   Active   3m14s

其他资源：

尝试创建名称空间时出现Terraform / GCP Kubernetes错误

1 个答案: