search

kubernetes-up-and-running / kuard

Demo app for Kubernetes Up and Running book
Apache License 2.0
1.59k stars 543 forks source link

Could not find certificates to serve TLS #29

Open falseneutral opened 4 years ago

falseneutral commented 4 years ago

Started the container (docker run --rm -p 8080:8000 kuart) and got the following output

2019/10/18 16:28:50 Starting kuard version: test
2019/10/18 16:28:50 **********************************************************************
2019/10/18 16:28:50 * WARNING: This server may expose sensitive
2019/10/18 16:28:50 * and secret information. Be careful.
2019/10/18 16:28:50 **********************************************************************
2019/10/18 16:28:50 Config:
{
  "address": ":8080",
  "debug": false,
  "debug-sitedata-dir": "./sitedata",
  "keygen": {
    "enable": false,
    "exit-code": 0,
    "exit-on-complete": false,
    "memq-queue": "",
    "memq-server": "",
    "num-to-gen": 0,
    "time-to-run": 0
  },
  "liveness": {
    "fail-next": 0
  },
  "readiness": {
    "fail-next": 0
  },
  "tls-address": ":8443",
  "tls-dir": "/tls"
}
2019/10/18 16:28:50 Could not find certificates to serve TLS
2019/10/18 16:28:50 Serving on HTTP on :8080

Any ideas what needs to be in place for this to work?

cmoulliard commented 4 years ago

Do we have to mount the TLS cert/key using a secret ?

alex1989hu commented 2 years ago

As of now image: sha256:1ecc9fb2c871302fdb57a25e0c076311b7b352b0a9246d442940ca8fb4efe229 you need to mount the certificate key pair here: /tls/kuard.crt and /tls/kuard.key

Directory: https://github.com/kubernetes-up-and-running/kuard/blob/a27b6968777a865cea3af83713795b634c38858b/pkg/app/config.go#L53

Filenames: https://github.com/kubernetes-up-and-running/kuard/blob/a27b6968777a865cea3af83713795b634c38858b/pkg/app/app.go#L140-L141

In Kubernetes I did the following - I use cert-manager for kind: Certificate:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: kuard
  name: kuard
  namespace: foobar
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kuard
  template:
    metadata:
      labels:
        app: kuard
    spec:
      containers:
      - image: nexus-docker.cntr.swsnet.ch/kuar-demo/kuard-amd64:blue
        name: kuard-amd64
        ports:
        - containerPort: 8080
          name: http
          protocol: TCP
        - containerPort: 8443
          name: https
          protocol: TCP
        volumeMounts:
        - name: certificates
          mountPath: /tls
          readOnly: true
      volumes:
      - name: certificates
        secret:
          secretName: kuard-certificate
          items:
          - key: tls.crt
            path: kuard.crt
          - key: tls.key
            path: kuard.key
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: kuard-certificate
  namespace: foobar
spec:
  secretName: kuard-certificate
  commonName: kuard
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
    size: 384
  usages:
    - digital signature
    - key encipherment
    - server auth
  dnsNames:
    - localhost
    - kuard
    - kuard.foobar
    - kuard.foobar.svc
    - kuard.foobar.svc.cluster.local
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer