Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubernetes SSL sample not working #47

Open
hemanth7787 opened this issue May 25, 2018 · 3 comments
Open

kubernetes SSL sample not working #47

hemanth7787 opened this issue May 25, 2018 · 3 comments

Comments

@hemanth7787
Copy link

hemanth7787 commented May 25, 2018
edited
Loading

Followed instruction from this readme:
https://github.com/GoogleCloudPlatform/endpoints-samples/tree/master/k8s/dns-ssl-kube-lego

CLUSTER_NAME=endpoints-dns-sample
CLUSTER_ZONE="us-west1-a"
gcloud services enable container.googleapis.com
gcloud container clusters create ${CLUSTER_NAME} --zone=${CLUSTER_ZONE} --num-nodes=3
gcloud container clusters get-credentials ${CLUSTER_NAME} --zone=${CLUSTER_ZONE}

git clone https://github.com/GoogleCloudPlatform/endpoints-samples.git
cd endpoints-samples/k8s/dns-ssl-kube-lego
deploy.sh

Enter your email address (for Let's Encrypt to send certificate expiration notifications): name@comany.com
Deploying KubeLego in the kube-lego namespace
namespace "kube-lego" created
configmap "kube-lego" created
deployment "kube-lego" created
Enter the project ID: my-project-name
Deploying Kubernetes Ingress
namespace "echo" created
ingress "echo-ingress" created
Waiting for Ingress public IP address...
NAME HOSTS ADDRESS PORTS AGE
echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 1s
NAME HOSTS ADDRESS PORTS AGE
echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 8s
NAME HOSTS ADDRESS PORTS AGE
echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 15s
NAME HOSTS ADDRESS PORTS AGE
echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 22s
NAME HOSTS ADDRESS PORTS AGE
echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 29s
NAME HOSTS ADDRESS PORTS AGE
echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 36s
NAME HOSTS ADDRESS PORTS AGE
echo-ingress echo.endpoints.my-project-name.cloud.goog 80, 443 43s
NAME HOSTS ADDRESS PORTS AGE
echo-ingress echo.endpoints.my-project-name.cloud.goog 35.227.214.24 80, 443 49s
Ingress IP address : 35.227.214.24
Deploying Endpoints service configuration
Waiting for async operation operations/serviceConfigs.echo.endpoints.my-project-name.cloud.goog:381266e9-c515-44f1-9019-dfa6f9c834c5 to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud endpoints operations describe operations/serviceConfigs.echo.endpoints.my-project-name.cloud.goog:381266e9-c515-44f1-9019-dfa6f9c834c5
Waiting for async operation operations/rollouts.echo.endpoints.my-project-name.cloud.goog:961f109c-11e5-47e5-b347-40b68b6af17c to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud endpoints operations describe operations/rollouts.echo.endpoints.my-project-name.cloud.goog:961f109c-11e5-47e5-b347-40b68b6af17c
Service Configuration [2018-05-25r4] uploaded for service [echo.endpoints.my-project-name.cloud.goog]
To manage your API, go to: https://console.cloud.google.com/endpoints/api/echo.endpoints.my-project-name.cloud.goog/overview?project=my-project-name
Deploying the echo backend
service "echo-service" created
deployment "echo-backend" created
In a few minutes, https://echo.endpoints.my-project-name.cloud.goog should be provisioned with a Let's Encrypt certificate

Waited fro 30mins

The HTTP endpoint is working but HTTPS is not

dig echo.endpoints.${PROJECT_ID}.cloud.goog

;; ANSWER SECTION:
echo.endpoints.my-project-name.cloud.goog. 59 IN A xxx.yyy.zzz.aaa

curl http://echo.endpoints.${PROJECT_ID}.cloud.goog/.well-known/acme-challenge/_selftest

{
"code": 5,
"message": "Method does not exist.",
"details": [
{
"@type": "type.googleapis.com/google.rpc.DebugInfo",
"stackEntries": [],
"detail": "service_control"
}
]
}

kubectl --namespace=echo get secret echo-tls

Error from server (NotFound): secrets "echo-tls" not found

kubectl logs kube-lego-7dcvc89cb5-fbm5k --namespace kube-lego

E0525 16:56:28.842756 1 reflector.go:201] github.com/jetstack/kube-lego/pkg/kubelego/watch.go:112: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serv
iceaccount:kube-lego:default" cannot list ingresses.extensions at the cluster scope: Unknown user "system:serviceaccount:kube-lego:default"
@hemanth7787
Copy link
Author

It seems the problem is related to service account creation
jetstack/kube-lego#290

See @michailbrynard 's answer

@hemanth7787
Copy link
Author

hemanth7787 commented May 27, 2018
edited
Loading

Solution:

gcloud info | grep Account

myname@mycompany.com

kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@mycompany.com

After that follow this tutorial
https://github.com/jetstack/kube-lego/blob/master/examples/gce/README.md

@djaax
Copy link

djaax commented Jul 8, 2019

This should work too if you're logged in:

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole cluster-admin \
  --user $(gcloud config get-value account)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@djaax @hemanth7787