search

ployst / docker-nginx-ssl-proxy

http://blog.ployst.com/development/2015/12/22/letsencrypt-on-kubernetes.html
Apache License 2.0
24 stars 18 forks source link

Bronken json on deployment #7

Closed odravison closed 7 years ago

odravison commented 7 years ago

Can you post or send a service and replicationController example of your nginx and letsencrypt?

I'm having got this error message :

unable to decode "./nginx-ssl-proxy-deployment.yml": [pos 128]: json: expect char '"' but got char '{'

That is my RC and SVC .yml of my nginx and letsencrypt:

kind: Service
apiVersion: v1
metadata:
  name: letsencrypt-service
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
  selector:
    name: letsencrypt
    role: cert-app

---

kind: ReplicationController
apiVersion: v1
metadata:
  name: letsencrypt-rc
  labels:
    name: letsencrypt
    role: cert-app
spec:
  replicas: 1
  selector:
    name: letsencrypt
    role: cert-app
  template:
    metadata:
      name: letsencrypt-rc
      labels:
        name: letsencrypt
        role: cert-app
    spec:
      containers:
      - name: letsencrypt
        image: ployst/letsencrypt:0.0.3
        env:
        - name: EMAIL
          value: odravison@lavid.ufpb.br
        - name: DOMAINS
          value: [MY DOMAIN, FOR NOW, IT'S MY EXTERNAL IP. WORKS?]
        - name: RC_NAMES
          value: nginx-ssl-proxy-api
        ports:
        - name: ssl-proxy-http
          containerPort: 80
kind: Service
apiVersion: v1
metadata:
  name: nginx-ssl-proxy-service
spec:
  ports:
  - name: https
    port: 443
    targetPort: ssl-proxy-https
    protocol: TCP
  - name: http
    port: 80
    targetPort: ssl-proxy-http
    protocol: TCP
  selector:
    name: nginx-ssl-proxy-api
    role: ssl-proxy
  type: LoadBalancer
  externalIPs: [xxx.xxx.xxx.xxx]

----

kind: ReplicationController
apiVersion: v1
metadata:
  name: nginx-ssl-proxy-api
  labels:
    name: nginx-ssl-proxy-api
    role: ssl-proxy
    spec:
      containers:
      - name: nginx-ssl-proxy-api
        image: ployst/nginx-ssl-proxy:0.0.3
        env:
        - name: CERT_SERVICE_HOST_ENV_NAME
          value: LETSENCRYPT_SERVICE_SERVICE_HOST
        - name: CERT_SERVICE_PORT_ENV_NAME
          value: LETSENCRYPT_SERVICE_SERVICE_PORT

deployment-files.zip

alexcouper commented 7 years ago
  1. If you're using kubernetes version that supports deployments, you may want to consider moving to using them, and you can then use the latest versions of letsencrypt container which support a DEPLOYMENTS env var (rather than the RC one)

  2. Your nginx-ssl-proxy is expected to have a target for non-cert-requests to be forwarded to (as in the actual service you're wanting to have secured with https)

    - name: SERVICE_HOST_ENV_NAME
 value: PLOYST_API_SERVICE_SERVICE_HOST
- name: SERVICE_PORT_ENV_NAME
 value: PLOYST_API_SERVICE_SERVICE_PORT
  3. I think targetPort should be an actual port number. At least for me it is. (80 goes to 80, 443 to 443)
  4. Finally, your error. The yaml file is converted into JSON and then loaded. I'm not sure what the line is causing your problem, but I would try removing some of the more suspect ones and see what happens. Eg. externalIPs. Also, split the files up and try to create the service only and then the RC. Which one fails?
odravison commented 7 years ago

Awesome observations. I'll try it soon, and will be posted the result here. Good point about divide the files to see which fails. ;) Thanks for help. Thanks a lot!

odravison commented 7 years ago

Hello, i'm sorry about the waiting.

The json error message keeps on the nginx replicationcontroller.

I'm not using deployment. As i'm learning (yet) kubernetes, it's for other day.

Here the nginx-rc.yml:

kind: ReplicationController
apiVersion: v1
metadata:
  name: nginx-ssl-proxy-api
  labels:
    name: nginx-ssl-proxy-api
    role: ssl-proxy
    spec:
      containers:
      - name: nginx-ssl-proxy-api
        image: ployst/nginx-ssl-proxy:0.0.3
        env:
        - name: SERVICE_HOST_ENV_NAME
          value: MEUOLHAR_BACKEND_SERVICE_HOST
        - name: SERVICE_PORT_ENV_NAME
          value: MEUOLHAR_BACKEND_SERVICE_PORT
        - name: CERT_SERVICE_HOST_ENV_NAME
          value: LETSENCRYPT_SERVICE_SERVICE_HOST
        - name: CERT_SERVICE_PORT_ENV_NAME
          value: LETSENCRYPT_SERVICE_SERVICE_PORT
        ports:
        -
          name: ssl-proxy-http
          containerPort: 80
        -
          name: ssl-proxy-https
          containerPort: 443
alexcouper commented 7 years ago

The structure appears to be wrong. (see here for an example)

This works:

kind: ReplicationController
apiVersion: v1
metadata:
  name: nginx-ssl-proxy-api-rc
  labels:
    name: nginx-ssl-proxy-rc
    role: ssl-proxy
spec:
  replicas: 1
  selector:
    app: nginx-ssl-proxy
    mode: blahdeblah
  template:
    metadata:
       labels:
           app: nginx-ssl-proxy
           mode: blahdeblah
    spec:
        containers:
        - name: nginx-ssl-proxy-api
          image: ployst/nginx-ssl-proxy:0.0.5
          env:
          - name: SERVICE_HOST_ENV_NAME
            value: MEUOLHAR_BACKEND_SERVICE_HOST
          - name: SERVICE_PORT_ENV_NAME
            value: MEUOLHAR_BACKEND_SERVICE_PORT
          - name: CERT_SERVICE_HOST_ENV_NAME
            value: LETSENCRYPT_SERVICE_SERVICE_HOST
          - name: CERT_SERVICE_PORT_ENV_NAME
            value: LETSENCRYPT_SERVICE_SERVICE_PORT
          ports:
          - name: ssl-proxy-http
            containerPort: 80
          - name: ssl-proxy-https
            containerPort: 443

(note that 0.0.3 is not available on hub.docker.com, so i've altered the config for you to 0.0.5)

odravison commented 7 years ago

Hello, Alex.

I'm sorry about any disturb, but, i'm very very confused with this configuration. Look, I have tried many way to do that. Unfortunately unsuccessful.

I'm trying do this, now:

kind: ReplicationController
apiVersion: v1
metadata:
  name: nginx-ssl-proxy-api-rc
  labels:
    name: nginx-ssl-proxy-rc
    role: ssl-proxy
spec:
  replicas: 1
  selector:
    app: nginx-ssl-proxy
    mode: prod
  template:
    metadata:
       labels:
           app: nginx-ssl-proxy
           mode: prod
    spec:
        containers:
        - name: nginx-ssl-proxy-api
          image: ployst/nginx-ssl-proxy:0.0.5
          env:
          - name: SERVICE_HOST_ENV_NAME
            value: "XXX.XXX.XXX.XXX"
          - name: SERVICE_PORT_ENV_NAME
            value: "8080"
          - name: CERT_SERVICE_HOST_ENV_NAME
            value: LETSENCRYPT_SERVICE_SERVICE_HOST
          - name: CERT_SERVICE_PORT_ENV_NAME
            value: LETSENCRYPT_SERVICE_SERVICE_PORT
          ports:
          - name: ssl-proxy-http
            containerPort: 80
          - name: ssl-proxy-https
            containerPort: 443

And, receiving this:

2016/09/09 14:32:36 [emerg] 11#11: invalid port in upstream ":" in /etc/nginx/conf.d/proxy.conf:2 nginx: [emerg] invalid port in upstream ":" in /etc/nginx/conf.d/proxy.conf:2

I think that's a error when you script concat the SERVICE_PORT_ENV_NAME inside proxy.conf

alexcouper commented 7 years ago 
          - name: SERVICE_HOST_ENV_NAME
            value: "XXX.XXX.XXX.XXX"
          - name: SERVICE_PORT_ENV_NAME
            value: "8080"

These values are wrong. If you want to go for that approach, (of hardcoding ip and ports) use TARGET_SERVICE. If not, then these should be the names of envirnonment variables available at runtime to the pod (they are provided by kubernetes. Each service has a port and host env var exposed)

odravison commented 7 years ago

Allright, I got you point.

I'll test and post the result here. Thanks.

odravison commented 7 years ago

Hello, Alex.

After all day, finally works. But, has a little detail. How RUN kubectl commands when the cluster is only access by a key? Your solution preview and are designed to do that? If not, i'll figure out of this problem and contribute with yout solution. Can I do ? Of course, this will be commited on let's encrypt repository.

Thanks in advanced.

alexcouper commented 7 years ago

@Odravison surprisingly pods seem to be able to run kubectl commands by default.

If you run the following you can see what is going on:

kubectl get pods
kubectl exec -it <lets-encrypt-pod-name> /bin/bash

Now take a look at the crontab that is set up as part of pod bootstrapping:

sudo crontab -l

And try running that command. It should look something like this:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin KUBERNETES_PORT=tcp://10.87.240.1:443 KUBERNETES_PORT_443_TCP_PORT=443 KUBERNETES_SERVICE_PORT=443 KUBERNETES_SERVICE_HOST=10.87.240.1 KUBERNETES_PORT_443_TCP_PROTO=tcp KUBERNETES_PORT_443_TCP_ADDR=10.87.240.1 KUBERNETES_PORT_443_TCP=tcp://10.87.240.1:443 SECRET_NAME=<your-secret-name> NAMESPACE=default DEPLOYMENTS='<deployment_names>' DOMAINS='<domains_you_are_registering>' EMAIL=<email_address> /bin/bash /letsencrypt/refresh_certs.sh

You can also just run kubectl get pods from within the letsencrypt pod to see things have worked.

odravison commented 7 years ago

Hello, @alexcouper .

This didn't work. The reason is because i'm using a pair key to send commands yo my Kubernetes api. I got it, i did run the kubectl inside letsencrypt pod with my key on a secret. This is more a function that you can increment to this solution. Can i contribute with you doing this increment?

Changing subject, when i don't set 'secret_name' env, the pod create a secret with a name, without 'namespace' env, but, when i set it, the pod use 'namespace' env ,that is 'default' by default... like "default-{domain}" why that?

Thanks.

alexcouper commented 7 years ago

@Odravison feel free to contribute if you're using some other pair key setup.

Re: secret name. not sure. save_certs should fail when you don't set the SECRET_NAME env var.