Closed hanlins closed 5 years ago
Hi @hanlins,
It looks like you're trying to integrate the CFCR version of kubo-deployment
with the PKS fork of kubo-release
. As of this moment, that file (kubernetes-ca.pem
) does not exist in kubo-release
: https://github.com/cloudfoundry-incubator/kubo-release/tree/develop/jobs/kube-apiserver/templates/config
This fix was already made in the PKS fork of kubo-deployment
here: https://github.com/pivotal-cf/pks-kubo-deployment/commit/4ad7e9c68dbe4880433a744ad96f9392022325b4
I'm in the process of bringing both of those changes into upstream CFCR as they help facilitate certificate rotation, but you should be careful about mixing the manifest and release from CFCR and the PKS fork.
Got it, thanks for the info.
What happened: In
/var/vcap/jobs/kube-apiserver/config/bpm.yml
we have- "--client-ca-file=/var/vcap/jobs/kube-apiserver/config/kubernetes.pem"
, butkubernetes.pem
is not even a CA.What you expected to happen: Instead of using
kubernetes.pem
, we should usekubernetes-ca.pem
instead. Manually tried and works.How to reproduce it (as minimally and precisely as possible): This is PKS development related, simply deploy the latest dev-tile (matched with
p-pks-integration
'smaster
branch) withnsx-t
, it will fail when creating cluster, with jobnsx_kube_proxy
.Anything else we need to know?: Just fix this line: https://github.com/cloudfoundry-incubator/kubo-deployment/blob/master/manifests/cfcr.yml#L215, change it from
kubernetes.pem
tokubernetes-ca.pem
Environment:
bosh -d <deployment> deployment
):bosh -e <environment> environment
):kubectl version
):aws
,gcp
,vsphere
):vsphere