You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2021/11/03 17:25:51 UTC
[GitHub] [openwhisk-deploy-kube] paul42 opened a new issue #711: What is correct way to use self-signed certs in ow install?
paul42 opened a new issue #711:
URL: https://github.com/apache/openwhisk-deploy-kube/issues/711
So far I've gotten ingress to work properly, creating a TLS secret in kubernetes and using that in the standard ingress, but how do I keep the `wsk` cli from having an issue with it?
`wsk property get` shows my local info and then has this error at the end:
```
error: Unable to obtain API build information: Get "https://{working domain with tls}:30194/api/v1": x509: certificate signed by unknown authority
```
I know over in the [wsk cli docs there is a section on client cert](https://github.com/apache/openwhisk/blob/master/docs/cli.md#configure-the-cli-to-use-client-certificate) but they don't mention where or how to edit the `openwhisk_client_ca_cert` it doesn't appear to be a setting on `wsk` cli and searching the openwhisk codebase in github only reveals the documentation notes (searching this codebase in github reveals zero hits) is there an easy way to use my certificate that I generated before (using an internal CA) so I don't have to pass `-i` to the cli?
Thanks again, sorry for the deluge of questions!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@openwhisk.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [openwhisk-deploy-kube] paul42 commented on issue #711: What is correct way to use self-signed certs in ow install?
Posted by GitBox <gi...@apache.org>.
paul42 commented on issue #711:
URL: https://github.com/apache/openwhisk-deploy-kube/issues/711#issuecomment-966591560
I'm doing more testing, but @style95 was able to help me in the openwhisk slack -
essentially you have to pass your `Chained Cert` which is the leaf cert and all the previous certs leading back to the CA to nginx
```
whisk:
auth:
guest: newlyGeneratedetc:etc
system: newlyGeneratedetc:etc
ingress:
apiHostName: <Domain with cert>
apiHostPort: 443
apiHostProto: https
type: Standard
domain: <Domain with cert>
annotations:
kubernetes.io/ingress.class: nginx
tls:
secretname: ow-tls
create: false
enabled: true
invoker:
kubernetes:
replicaCount: 2
containerFactory:
impl: "kubernetes"
k8s:
persistence:
enabled: true
hasDefaultStorageClass: false
explicitStorageClass: openebs-hostpath
nginx:
httpsNodePort: 31002
certificate:
external: true
cert_file: ".crt that is same as domain and contains certs leading back to CA"
key_file: ".key that is same as domain"
```
I'm still testing to see what the right helm values are, but I'm able to do a `wsk action list` without the cert warning
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@openwhisk.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [openwhisk-deploy-kube] hawtkey commented on issue #711: What is correct way to use self-signed certs in ow install?
Posted by GitBox <gi...@apache.org>.
hawtkey commented on issue #711:
URL: https://github.com/apache/openwhisk-deploy-kube/issues/711#issuecomment-987666777
I'm no k8s/Helm pro but FWIW: the Helm Nginx template `nginx-pod.yaml` does a volumeMount of a TLS-secret named `owdev-nginx` containing a generated base64-encoded self-signed certificate/key that nginx uses at `/etc/nginx/certs`. I generated the base64 versions of my own chained-cert/decoded-key using IE: `cat my-chained-cert.crt | base64 -w 0` and used the outputs to replace the generated cert/key in the `owdev-nginx` secret using IE: `kubectl edit secret owdev-nginx --namespace openwhisk` and the API works fine with no errors. here are [some other methods](https://stackoverflow.com/questions/45879498/how-can-i-update-a-secret-on-kubernetes-when-it-is-generated-from-a-file) for updating a secret.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@openwhisk.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org