Closed bmhatfield closed 5 years ago
I did some research which suggests that this controller is failing because the underlying instance doesn't have the needed scopes.
After learning that, I learned that scopes must be added at cluster creation time, and that they aren't the recommended way to configure service accounts.
What is the intention here? Can I create a real service account and pass it to this controller somehow? Do I have to recreate my cluster?
Is it possible to document this in the README.md?
Thank you!
I was able to resolve this by copying managed-certificate-controller.yml
and adding a volume mount with a service account JSON, and then setting GOOGLE_APPLICATION_CREDENTIALS
.
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/run/secret/cloud.google.com/test-205-manged-certificates.json
I recommend this be documented in the readme.
PS: that service account was granted access via a custom role I created that has the following permissions:
compute.sslCertificates.create
compute.sslCertificates.delete
compute.sslCertificates.get
compute.sslCertificates.list
You can find the code reference to this service account option via: https://github.com/GoogleCloudPlatform/gke-managed-certs/blob/v0.3.0/pkg/config/config.go#L146
I could have sworn I got this to work by just following the readme, but trying a second time on a different cluster I had to follow these instructions
The README is now updated with instructions about setting permissions.
When describing the resource:
I also added the Compute Load Balance Admin permission to the GKE service account as described here: https://github.com/GoogleCloudPlatform/gke-managed-certs/issues/7, but am still getting that error.
I'm not really sure what I'm missing here.