I want to connect to my Openshift Origin instance, but via Eclipse. I installed Codeready Studio in Eclipse and logged in the Redhat Openshift extention for Eclipse. However, when I want to set up server adapters and start port forwarding, it shows the following error :
OpenShiftBinaryCapability process exited: error: specifying a root certificates file with the insecure flag is not allowed
*The location for OC is C:\CLI*
Try to change your ~/.kube/config specifies a cluster with insecure-skip-tls-verify: true,
Use following command to set --insecure-skip-tls-verify=true C:\Users\username.kube folder
kubectl config set-cluster clustername --server=https://Openshift IP:8443 --insecure-skip-tls-verify=true
"insecure-skip-tls-verify" allows interaction with an HTTPS server bypassing the server certificate checks; however, note that it is not secure. If you try to oc
login to a HTTPS server that does not provide a valid certificate, and this or the --certificate-authority flags were not provided
This worked for me.
Related
In my macos I can use below to launch kubernetes dashboard:
# launch k8s dashboard
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended.yaml
# Enable the local access proxy, listening on port 8001 by default
$ kubectl proxy
I have a question about this, why there have $ kubectl proxy command?
whether launch the dashboard, it do not listen a port by default? why should have a proxy?
This command allows the dashboard to call the Kubernetes API Server. It handles locating the API server and authenticating: see https://kubernetes.io/docs/using-kubectl-proxy
Without it, the dashboard will not be able to connect to the API Server since its endpoints is unknown (from dashboard perspective).
If you want to use the API Server endpoint directly, you will have to add an authenticatin token to each requests and you will also have to configure CORS on Kubernetes API Server. See option --cors-allowed-origins https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
I'm trying to create a local website using Docker Compose and Traefik. I was able to create the HTTPS domain, but the generated certificate is not valid as you can see in the following image
This is the configuration of my services
You can access the code here: https://gist.github.com/jdeg/6b9cd5283d71edf3304ab9d0a9cce75d
What is the correct way to create a valid certificate with Docker Compose and Traefik?
I am following the installation docs for the new IPI install of OpenShift 4.5 on vCenter and running into a snag when trying to connect to the vCenter. I am running the installer from a CentOS 7 box.
[root#lb ocp45_install_2]# openshift-install create install-config
[...]
INFO Connecting to vCenter [myvcenterhere]
FATAL failed to fetch Install Config: failed to fetch dependency of "Install Config": failed to fetch dependency of "Base Domain": failed to generate asset "Platform": unable to connect to vCenter [myvcenterhere]. Ensure provided information is correct and client certs have been added to system trust.: Post https://[myvcenterhere]/sdk: context deadline exceeded
I have added the root certs for my vcenter into /etc/pki/ca-trust/source/anchors/ per the documentation and I am able to reach it over 443 when using netcat. I also verified all login info was correct.
I have previously used this machine to do a UPI install of 4.3 in the same vCenter and did have success connecting. The vCenter uses a self-signed certificate.
Does anyone know if I need to include anything special to allow it to use the self-signed certificates when creating the install-config.yaml after adding the certs to the system trust?
You can try inserting that self-signed certificate into your nodes trust store.
This can be done editing your install-config.yaml, adding an additionalTrustBundle definition. Doc mentions:
apiVersion: v1
baseDomain: my.domain.com
additionalTrustBundle: |
-----BEGIN CERTIFICATE-----
<MY_TRUSTED_CA_CERT>
-----END CERTIFICATE-----
...
I am trying to access the Argo CD on my https://127.0.0.1:8080/ and got the following error message:
I forwarded the port as suggested on the https://argoproj.github.io/argo-cd/getting_started/ website:
kubectl port-forward svc/argocd-server -n argocd 8080:443
I also installed the Argo CD certificate, as you can see on the bottom:
When I try to access via Firefox, then it works:
Why with Chromium does not work?
The certificate appears invalid (self signed) in either browser. I believe by default Chrome blocks self signed certificates against localhost "for users protection" https://support.google.com/chrome/thread/3321715?hl=en. Changing the setting chrome://flags/#allow-insecure-localhost should allow you to access the site on Chrome.
Firefox will show a warning, but does not block users from using an insecure site by default.
By default Argo (and most things) will create a self-signed HTTPS certificate. This makes setup easier, but since it's not signed by a trusted source, you get this error. You can either give Argo a real cert directly, or use something like the Ingress system to terminate TLS (or both). Check out cert-manager for issuing LetsEncrypt certs in Kubernetes.
Following: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#option-2-use-the-token-option
I want to be able to connect to project / cluster context to our GKE clusters.
Normally, one would use gcloud, and login with a browser, or with a password json file.
Is it possible to authenticate with just a service account token that you can feed into kubectl (without using gcloud)?
I cannot get the above documentation working, doesn't seem to connect me to gcloud as I get:
The connection to the server localhost:8080 was refused - did you specify the right host or port?
Never able to connect outside of a local context.
I'm wondering if this is even possible, to connect to GKE clusters using nothing but a service account token?