Upgraded influxDb from v1.8.10 to v2.3.0+SNAPSHOT.090f681737 with below command
(https://docs.influxdata.com/influxdb/v2.3/upgrade/v1-to-v2/automatic-upgrade/)
influxd upgrade --username='admin' --password='adminpass1234' --org='test' --bucket='testbucket' --force
Now trying to get or create token of influxdb with CLI commands to process with other command(like creating buckets, users and etc). To create new token I need to pass token which is only available in Influx Dashboard right now, I would like to pass username and password but only token is option (https://docs.influxdata.com/influxdb/v2.3/security/tokens/create-token/)
influx v1 auth create -username admin
I don't want to go to influxdb dashboard page and get token from there because my script should work automatically without depending any manual actions in UI. It's ansible script.
Don't know if there is a any option which can help to solve this problem.
Client config should be created during upgrade, you can list it, the output contains the token
influx config ls --json
I'm installing InfluxDB2 on a Kubernetes cluster (AWS EKS) and in the helm chart I specify an existing secret name "influxdb-auth" for admin user credentials. When I try to login to the web admin interface, it does not accept the password or token from that secret. If I don't specify an existing secret, it automatically creates a secret "influxdb2-auth" and I can retrieve and use the password successfully, but it will not use the existing secret. Also when I specify the existing secret "influxdb-auth" it does not create a secret "influxdb2-auth" so I can't retrieve the password it has generated. I have tried naming the existing secret "influxdb2-auth" but that also did not work. Any ideas on what the problem might be?
Section from values.yaml:
## Create default user through docker entrypoint
## Defaults indicated below
##
adminUser:
organization: "test"
bucket: "default"
user: "admin"
retention_policy: "0s"
## Leave empty to generate a random password and token.
## Or fill any of these values to use fixed values.
password: ""
token: ""
## The password and token are obtained from an existing secret. The expected
## keys are `admin-password` and `admin-token`.
## If set, the password and token values above are ignored.
existingSecret: influxdb-auth
To anyone here coming here from the future. Make sure you run:
echo $(kubectl get secret influxdb-influxdb2-auth -o "jsonpath={.data['admin-password']}" --namespace monitoring | base64 --decode)
after first installation. First time influxdb2 starts it will setup task, subsequent helm install/upgrade seem to save new password in the secret which isn't on the file system.
I had to delete content of PVC for influxdb and rerun installation.
I am trying to use an OCI Registry (ACR) to store my helm charts. I have found ways to push and pull my charts but I cannot login to the registry in an OCI native way.
At the moment I can log in via: az acr login --name myacr
I want to use helm registry login myacr.azurecr.io but this fails with
Error: Get https://myacr.azurecr.io/v2/: unauthorized: Application not registered with AAD.
What does this mean? Do I need to perform some setup between AAD and ACR?
Update
When I try to helm registry login with my user account (user name as name and password as password) from AAD I get the error above.
If I try to login with a service principal it works.
If I try to log in with the 00000000-0000-0000-0000-000000000000 account from this method, that also works.
I suspect there is something additional that needs to be done with user accounts but I am not sure what that is.
The issue you met is the problem with the authentication type. Here shows you all the available authentication methods, but it does not contain the user account. It means it does not support currently. And right now, the controllable authentication way is the service principal. You can only grant it with the appropriate permission.
Not really an answer but might want to follow https://github.com/Azure/azure-cli/issues/14467
Also commented, I've downgraded to helm v3.3.3 and proceeded to authenticate/add the ACR repo with the following command
az acr helm repo add --name <containerregistry>
I am trying to integrate CircleCi with gcloud Kubernetes engine.
I created a service account with Kubernetes Engine Developer and Storage Admin roles.
Created CircleCi yaml file and configured CI.
Part of my yaml file includes:
docker:
- image: google/cloud-sdk
environment:
- PROJECT_NAME: 'my-project'
- GOOGLE_PROJECT_ID: 'my-project-112233'
- GOOGLE_COMPUTE_ZONE: 'us-central1-a'
- GOOGLE_CLUSTER_NAME: 'my-project-bed'
steps:
- checkout
- run:
name: Setup Google Cloud SDK
command: |
apt-get install -qq -y gettext
echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
Everything runs perfectly except that the last command:
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
It keeps failing with the error:
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/my-project-112233/zones/us-central1-a/clusters/my-project-bed". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.
I tried to give the ci account the role of project owner but I still got that error.
I tried to disable and re-enable the Kubernetes Service but it didn't help.
Any idea how to solve this? I am trying to solve it for 4 days...
This is an old thread, this is how this issue handled today in case using cloud build :
Granting Cloud Build access to GKE
To deploy the application in your Kubernetes cluster, Cloud Build needs the Kubernetes Engine Developer Identity and Access Management Role.
Get Project Number:
PROJECT_NUMBER="$(gcloud projects describe ${PROJECT_ID} --format='get(projectNumber)')"
Add IAM Policy bindings:
gcloud projects add-iam-policy-binding ${PROJECT_NUMBER} \
--member=serviceAccount:${PROJECT_NUMBER}#cloudbuild.gserviceaccount.com \
--role=roles/container.developer
More info can be found here.
I believe it's not the CI Service account but the k8s service account used to manage your GKE cluster, where its email should look like this (Somebody must have deleted it):
k8s-service-account#<project-id>.iam.gserviceaccount.com
You can re-create it an give it project owner permissions.
Step 1 : gcloud init
Step 2 : Select [2] Create a new configuration
Step 3 : Enter configuration name. Names start with a lower case letter and
contain only lower case letters a-z, digits 0-9, and hyphens '-': kubernetes-service-account
Step 4 : Choose the account you would like to use to perform operations for
this configuration:[2] Log in with a new account
Step 5 : Do you want to continue (Y/n)? y
Step 6 : Copy paste the link to brwoser and login with the ID which is used to create your google Cloud Account
Step 7 : Copy the verification code provided by google after login and paste it in to the console.
Step 8 : Pick cloud project to use:
Step 9: Do you want to configure a default Compute Region and Zone? (Y/n)? y
Step 10 : Please enter numeric choice or text value (must exactly match list item): 8
Your Google Cloud SDK is configured and ready to use!
The details of the above mentioned errors are explained in this help center article.
To add the Kubernetes Engine Service account (if you don't have it), please run the following command, in order to properly recreate the Kubernetes Service Account with the "Kubernetes Engine Service Agent" role,
gcloud services enable container.googleapis.com
In my case, these 2 steps solved my issue:
In the command,
gcloud container clusters get-credentials my-cluster-1 --zone=asia-south1-a --
project=thelab-240901
the --project should have the projectID value, not the project name
In the your travis account, go to your project repository -> more options -> settings -> Environment Variables. Now make sure you have only one set of encrypted_iv and encrypted_key environment variables as follows:
If you have encrypted different service accounts (json key files), this could add more than one set of encrypted_iv and encrypted_key environment variables. So, delete all those variables and freshly create the encrypted keys, may be by using travis encrypt-file --pro yourServiceAccountJSONFile.json --add
I had this problem using gcloud with my main owner account (!)
What fixed it was including --zone and --project params in the command to get the kubectl credentials.
I faced this issue with different scenarios, Listing it down below hope it will help someone.
1. If you did a fresh installation of google-cloud-sdk then you must login
with gcloud using the below command.
gcloud auth login
The above command will open ur browser and ask for login with your GCP account.
2. Sometimes provisioning is not reflected. Hence i revoke my provision and granted access (In this case my role is Owner) again. Then it worked.
I was getting the same error when trying to connect to my newly created cluster:
gcloud container clusters get-credentials <foo-cluster> --zone europe-central2-a --project <foo-project>
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/foo-project/zones/europe-central2-a/clusters/foo-cluster".
I tried a few things:
I enabled Kuberentes API - no success
I added a key to service account and loged in using downloaded key:
gcloud auth activate-service-account --key-file=<path-to-the-downloaded-json-file>/foo-project-xxxx.json
Activated service account credentials for: [xxxx-compute#developer.gserviceaccount.com]
I run:
gcloud components update
However, I had a problem retriving data, all kubectl command were giving TLS handshake timeout, for example: kubectl get namespace was giving an error:
Unable to connect to the server: net/http: TLS handshake timeout
This is when I tried again:
gcloud container clusters get-credentials <foo-cluster> --zone europe-central2-a --project <foo-project>
and it worked
Fetching cluster endpoint and auth data.
kubeconfig entry generated for foo-project.
I had a gcloud user authenticated and was running gsutils fine from the command line (Windows 8.1). But I needed to access gsutils from a python application so I followed the instructions here:
https://cloud.google.com/storage/docs/xml-api/gspythonlibrary#credentials
I got as far as creating a .boto file, but now not only does the my python code fail (boto.exception.NoAuthHandlerFound: No handler was ready to authenticate.). But I can't run bsutils from the command line any more. I get this error:
C:\>gsutil ls
You are attempting to access protected data with no configured
credentials. Please visit https://cloud.google.com/console#/project
and sign up for an account, and then run the "gcloud auth login"
command to configure gsutil to use these credentials.
I have run gcloud auth and it appears to work, I can query my users:
C:\>gcloud auth list
Credentialed Accounts:
- XXXserviceuser#XXXXX.iam.gserviceaccount.com ACTIVE
- myname#company.name
To set the active account, run:
$ gcloud config set account `ACCOUNT`
I have tried both with the account associated with my email active, and the new serveruser account (created following instructions above). Same "protected data with no configured credentials." error. I tried removing the .boto file, and adding the secret CLIENT_ID and CLIENT_SECRET to my .boto file.
Anyone any ideas what the issue could be?
So I think the latest documentation/examples showing how to use (and authenticate) Google Cloud storage via python is in this repo:
https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/storage/api
That just works for me without messing around with keys and service users.
Would be nice if there was a comment somewhere in the old gspythonlibrary docs pointing this out.