New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot run Tiller - ca.crt: no such file or directory #2360

Closed
chilicat opened this Issue Apr 30, 2017 · 7 comments

Comments

Projects
None yet
6 participants
@chilicat

chilicat commented Apr 30, 2017

Cannot get tiller working. It requires a certificate. I can run the dashboard without issues (I think it uses the provided token in /var/run/secrets/kubernetes.io/serviceaccount).

I also tried to init helm with the tls options (--tiller-tls, --tiller-tls-cert, --tiller-tls-key, --tls-ca-cert ) using the same files as apiserver.

E0430 23:22:51.427709       1 config.go:322] Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: open /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: no such file or directory
Cannot initialize Kubernetes connection: Get https://172.18.0.1:443/api: x509: failed to load system roots and no roots provided
kubectl --version
Kubernetes v1.5.2

helm version
Client: &version.Version{SemVer:"v2.3.1", GitCommit:"32562a3040bb5ca690339b9840b6f60f8ce25da4", GitTreeState:"clean"}

@michelleN

This comment has been minimized.

Show comment
Hide comment
@michelleN

michelleN May 3, 2017

Member

@fibonacci1729 would you mind looking into this if you have a minute? It might be up your alley.

@chilicat 1. I love your username. 2. Where are you running kubernetes? minikube? gke? azure? aws? just curious.

Member

michelleN commented May 3, 2017

@fibonacci1729 would you mind looking into this if you have a minute? It might be up your alley.

@chilicat 1. I love your username. 2. Where are you running kubernetes? minikube? gke? azure? aws? just curious.

@chilicat

This comment has been minimized.

Show comment
Hide comment
@chilicat

chilicat May 3, 2017

@michelleN thank you. Of course I run kubernetes on a self deployed vagrant box (3 nodes) with my own ansible scripts :)

chilicat commented May 3, 2017

@michelleN thank you. Of course I run kubernetes on a self deployed vagrant box (3 nodes) with my own ansible scripts :)

@michelleN

This comment has been minimized.

Show comment
Hide comment
@michelleN

michelleN May 3, 2017

Member

lol @chilicat
It looks like this might have gotten fixed in helm 2.3.2 with #2316. Would you mind checking to see if this works with helm 2.3.2? If not, I'm happy to look into it further.

Member

michelleN commented May 3, 2017

lol @chilicat
It looks like this might have gotten fixed in helm 2.3.2 with #2316. Would you mind checking to see if this works with helm 2.3.2? If not, I'm happy to look into it further.

@chilicat

This comment has been minimized.

Show comment
Hide comment
@chilicat

chilicat May 8, 2017

Still - same issue.

helm version
Client: &version.Version{SemVer:"v2.4.1", GitCommit:"46d9ea82e2c925186e1fc620a8320ce1314cbb02", GitTreeState:"clean"}
Error: cannot connect to Tiller

Is it possible that tiller uses the token instead of the certificates?

chilicat commented May 8, 2017

Still - same issue.

helm version
Client: &version.Version{SemVer:"v2.4.1", GitCommit:"46d9ea82e2c925186e1fc620a8320ce1314cbb02", GitTreeState:"clean"}
Error: cannot connect to Tiller

Is it possible that tiller uses the token instead of the certificates?

@fibonacci1729

This comment has been minimized.

Show comment
Hide comment
@fibonacci1729

fibonacci1729 May 10, 2017

Member

The helm init tls options are specifically to secure communication between the helm client and tiller server, so I don't think that's the issue here.

From what I can tell, the error you are seeing is because the Kubernetes client (in tiller) fails to talk to the k8s api surface over https because of a missing certificate. I'll take a closer look.

Member

fibonacci1729 commented May 10, 2017

The helm init tls options are specifically to secure communication between the helm client and tiller server, so I don't think that's the issue here.

From what I can tell, the error you are seeing is because the Kubernetes client (in tiller) fails to talk to the k8s api surface over https because of a missing certificate. I'll take a closer look.

@cloudecho

This comment has been minimized.

Show comment
Hide comment
@cloudecho

cloudecho Jun 4, 2017

I just met the same problem, and I have no idea how to solve this:

[root@k8s-master k8s]# kubectl version
Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"a55267932d501b9fbd6d73e5ded47d79b5763ce5", GitTreeState:"clean", BuildDate:"2017-04-14T13:36:25Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"a55267932d501b9fbd6d73e5ded47d79b5763ce5", GitTreeState:"clean", BuildDate:"2017-04-14T13:36:25Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}


[root@k8s-master k8s]# helm version
Client: &version.Version{SemVer:"v2.4.2", GitCommit:"82d8e9498d96535cc6787a6a9194a76161d29b4c", GitTreeState:"clean"}
Error: cannot connect to Tiller


[root@k8s-master k8s]# kubectl logs  tiller-deploy-3354596499-76zd2  --namespace=kube-system
E0604 12:50:21.791651       1 config.go:322] Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: open /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: no such file or directory
E0604 12:50:21.793368       1 config.go:322] Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: open /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: no such file or directory

Wish somebody can helps me.

cloudecho commented Jun 4, 2017

I just met the same problem, and I have no idea how to solve this:

[root@k8s-master k8s]# kubectl version
Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"a55267932d501b9fbd6d73e5ded47d79b5763ce5", GitTreeState:"clean", BuildDate:"2017-04-14T13:36:25Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"a55267932d501b9fbd6d73e5ded47d79b5763ce5", GitTreeState:"clean", BuildDate:"2017-04-14T13:36:25Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}


[root@k8s-master k8s]# helm version
Client: &version.Version{SemVer:"v2.4.2", GitCommit:"82d8e9498d96535cc6787a6a9194a76161d29b4c", GitTreeState:"clean"}
Error: cannot connect to Tiller


[root@k8s-master k8s]# kubectl logs  tiller-deploy-3354596499-76zd2  --namespace=kube-system
E0604 12:50:21.791651       1 config.go:322] Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: open /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: no such file or directory
E0604 12:50:21.793368       1 config.go:322] Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: open /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: no such file or directory

Wish somebody can helps me.

@juselius

This comment has been minimized.

Show comment
Hide comment
@juselius

juselius Aug 21, 2017

Make sure that kube-controller-manager is started with --root-ca-file=/path/to/ca.crt.

juselius commented Aug 21, 2017

Make sure that kube-controller-manager is started with --root-ca-file=/path/to/ca.crt.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment