search

GoogleCloudPlatform / endpoints-samples

Apache License 2.0
89 stars 60 forks source link

kubernetes SSL sample not working #47

Open hemanth7787 opened 6 years ago

hemanth7787 commented 6 years ago

Followed instruction from this readme: https://github.com/GoogleCloudPlatform/endpoints-samples/tree/master/k8s/dns-ssl-kube-lego

CLUSTER_NAME=endpoints-dns-sample
CLUSTER_ZONE="us-west1-a"
gcloud services enable container.googleapis.com
gcloud container clusters create ${CLUSTER_NAME} --zone=${CLUSTER_ZONE} --num-nodes=3
gcloud container clusters get-credentials ${CLUSTER_NAME} --zone=${CLUSTER_ZONE}
git clone https://github.com/GoogleCloudPlatform/endpoints-samples.git
cd endpoints-samples/k8s/dns-ssl-kube-lego
deploy.sh

Enter your email address (for Let's Encrypt to send certificate expiration notifications): name@comany.com Deploying KubeLego in the kube-lego namespace namespace "kube-lego" created configmap "kube-lego" created deployment "kube-lego" created Enter the project ID: my-project-name Deploying Kubernetes Ingress namespace "echo" created ingress "echo-ingress" created Waiting for Ingress public IP address... NAME HOSTS ADDRESS PORTS AGE echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 1s NAME HOSTS ADDRESS PORTS AGE echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 8s NAME HOSTS ADDRESS PORTS AGE echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 15s NAME HOSTS ADDRESS PORTS AGE echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 22s NAME HOSTS ADDRESS PORTS AGE echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 29s NAME HOSTS ADDRESS PORTS AGE echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 36s NAME HOSTS ADDRESS PORTS AGE echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 43s NAME HOSTS ADDRESS PORTS AGE echo-ingress echo.endpoints.my-project-name.cloud.goog 35.227.214.24 80, 443 49s Ingress IP address : 35.227.214.24 Deploying Endpoints service configuration Waiting for async operation operations/serviceConfigs.echo.endpoints.my-project-name.cloud.goog:381266e9-c515-44f1-9019-dfa6f9c834c5 to complete... Operation finished successfully. The following command can describe the Operation details: gcloud endpoints operations describe operations/serviceConfigs.echo.endpoints.my-project-name.cloud.goog:381266e9-c515-44f1-9019-dfa6f9c834c5 Waiting for async operation operations/rollouts.echo.endpoints.my-project-name.cloud.goog:961f109c-11e5-47e5-b347-40b68b6af17c to complete... Operation finished successfully. The following command can describe the Operation details: gcloud endpoints operations describe operations/rollouts.echo.endpoints.my-project-name.cloud.goog:961f109c-11e5-47e5-b347-40b68b6af17c Service Configuration [2018-05-25r4] uploaded for service [echo.endpoints.my-project-name.cloud.goog] To manage your API, go to: https://console.cloud.google.com/endpoints/api/echo.endpoints.my-project-name.cloud.goog/overview?project=my-project-name Deploying the echo backend service "echo-service" created deployment "echo-backend" created In a few minutes, https://echo.endpoints.my-project-name.cloud.goog should be provisioned with a Let's Encrypt certificate

Waited fro 30mins

The HTTP endpoint is working but HTTPS is not

dig echo.endpoints.${PROJECT_ID}.cloud.goog

;; ANSWER SECTION: echo.endpoints.my-project-name.cloud.goog. 59 IN A xxx.yyy.zzz.aaa

curl http://echo.endpoints.${PROJECT_ID}.cloud.goog/.well-known/acme-challenge/_selftest

{ "code": 5, "message": "Method does not exist.", "details": [ { "@type": "type.googleapis.com/google.rpc.DebugInfo", "stackEntries": [], "detail": "service_control" } ] }

kubectl --namespace=echo get secret echo-tls

Error from server (NotFound): secrets "echo-tls" not found

kubectl logs kube-lego-7dcvc89cb5-fbm5k --namespace kube-lego

E0525 16:56:28.842756 1 reflector.go:201] github.com/jetstack/kube-lego/pkg/kubelego/watch.go:112: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serv iceaccount:kube-lego:default" cannot list ingresses.extensions at the cluster scope: Unknown user "system:serviceaccount:kube-lego:default"

hemanth7787 commented 6 years ago

It seems the problem is related to service account creation https://github.com/jetstack/kube-lego/issues/290

See @michailbrynard 's answer

hemanth7787 commented 6 years ago

Solution:

gcloud info | grep Account

myname@mycompany.com

kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@mycompany.com

After that follow this tutorial https://github.com/jetstack/kube-lego/blob/master/examples/gce/README.md

djaax commented 5 years ago

This should work too if you're logged in:

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole cluster-admin \
  --user $(gcloud config get-value account)