You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/11/01 08:53:42 UTC
[GitHub] [apisix-helm-chart] ajistyle opened a new issue #173: helm install apisix 连接外部etcd https方式失败
ajistyle opened a new issue #173:
URL: https://github.com/apache/apisix-helm-chart/issues/173
1.外部etcd https访问方式
ETCDCTL_API=3 etcdctl \
--endpoints=http://192.168.2.202:2379 \
--cacert=/etc/kubernetes/ca/ca.pem \
--cert=/etc/kubernetes/ca/etcd/etcd.pem \
--key=/etc/kubernetes/ca/etcd/etcd-key.pem \
endpoint health
2. 创建 secret
kubectl create secret tls etcd-ssl-s -n ops \
--cert=/etc/kubernetes/ca/etcd/etcd.pem \
--key=/etc/kubernetes/ca/etcd/etcd-key.pem \
--dry-run -o yaml > etcd-ssl-s.yaml
3. helm安装apisix
helm install apisix apisix-072/ --namespace ops \
--set etcd.enabled=false \
--set etcd.host={https://192.168.2.202:2379} \
--set etcd.auth.tls.enabled=true \
--set etcd.auth.tls.existingSecret=etcd-ssl-s \
--set etcd.auth.tls.certFilename=etcd.pem \
--set etcd.auth.tls.certKeyFilename=etcd-key.pem
报错:
usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (No such file or directory), retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib)
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib), retry time=2
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] tokers commented on issue #173: helm install apisix 连接外部etcd https方式失败
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #173:
URL: https://github.com/apache/apisix-helm-chart/issues/173#issuecomment-964901888
> kubectl create secret tls etcd-ssl-s -n ops \
--cert=/opt/zhuji/helm/apisix/cert/etcd.crt \
--key=/opt/zhuji/helm/apisix/cert/etcd-key.key \
--dry-run -o yaml > etcd-ssl-s.yaml
The key names of tls type secret will be "tls.crt", "tls.key", but you configured `etcd.crt` and `etcd-key.key`, so the mount won't succeed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] ajistyle edited a comment on issue #173: helm install apisix 连接外部etcd https方式失败
Posted by GitBox <gi...@apache.org>.
ajistyle edited a comment on issue #173:
URL: https://github.com/apache/apisix-helm-chart/issues/173#issuecomment-964707207
`
cp etcd.pem etcd.crt
cp etcd-key.pem etcd-key.key
kubectl create secret tls etcd-ssl-s -n ops \
--cert=/opt/zhuji/helm/apisix/cert/etcd.crt \
--key=/opt/zhuji/helm/apisix/cert/etcd-key.key \
--dry-run -o yaml > etcd-ssl-s.yaml
[root@node201 apisix]# kubectl describe secret/etcd-ssl-s -n ops
Name: etcd-ssl-s
Namespace: ops
Labels: <none>
Annotations:
Type: kubernetes.io/tls
Data
====
tls.crt: 1403 bytes
tls.key: 1675 bytes
helm install apisix apisix-072/ --namespace ops \
--set etcd.enabled=false \
--set etcd.host={https://192.168.2.202:2379} \
--set etcd.auth.tls.enabled=true \
--set etcd.auth.tls.existingSecret=etcd-ssl-s \
**--set etcd.auth.tls.certFilename=etcd.crt \
--set etcd.auth.tls.certKeyFilename=etcd-key.key**
[root@node201 apisix]# kubectl -n ops logs pod/apisix-f9fbcd99c-lzvfq
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (No such file or directory), retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib)
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib), retry time=2
**helm uninstall apisix --namespace ops**
helm install apisix apisix-072/ --namespace ops \
--set etcd.enabled=false \
--set etcd.host={https://192.168.2.202:2379} \
--set etcd.auth.tls.enabled=true \
--set etcd.auth.tls.existingSecret=etcd-ssl-s \
**--set etcd.auth.tls.certFilename=tls.crt \
--set etcd.auth.tls.certKeyFilename=tls.key**
[root@node201 apisix]# kubectl logs pod/apisix-f44c8b9d-kbtqv -n ops
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed, retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed, retry time=2
[root@node201 apisix]#
`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] tokers commented on issue #173: helm install apisix 连接外部etcd https方式失败
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #173:
URL: https://github.com/apache/apisix-helm-chart/issues/173#issuecomment-956070959
@ajistyle If you create a TLS type Kubernetes Secret object, the perspective keys are "tls.crt" and "tls.key", so you should use the correct keys in settings `etcd.auth.tls.certFilename` and `etcd.auth.tls.certKeyFilename`.
What's more, you should also pass the CA certificate to APISIX, or it might reject the TLS handshaking since the certificate is not trusted (unless it's signed by well-known CA).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] ajistyle edited a comment on issue #173: helm install apisix 连接外部etcd https方式失败
Posted by GitBox <gi...@apache.org>.
ajistyle edited a comment on issue #173:
URL: https://github.com/apache/apisix-helm-chart/issues/173#issuecomment-964707207
`
cp etcd.pem etcd.crt
cp etcd-key.pem etcd-key.key
kubectl create secret tls etcd-ssl-s -n ops \
--cert=/opt/zhuji/helm/apisix/cert/etcd.crt \
--key=/opt/zhuji/helm/apisix/cert/etcd-key.key \
--dry-run -o yaml > etcd-ssl-s.yaml
```
[root@node201 apisix]# kubectl describe secret/etcd-ssl-s -n ops
Name: etcd-ssl-s
Namespace: ops
Labels: <none>
Annotations:
Type: kubernetes.io/tls
Data
====
tls.crt: 1403 bytes
tls.key: 1675 bytes
```
helm install apisix apisix-072/ --namespace ops \
--set etcd.enabled=false \
--set etcd.host={https://192.168.2.202:2379} \
--set etcd.auth.tls.enabled=true \
--set etcd.auth.tls.existingSecret=etcd-ssl-s \
**--set etcd.auth.tls.certFilename=etcd.crt \
--set etcd.auth.tls.certKeyFilename=etcd-key.key**
[root@node201 apisix]# kubectl -n ops logs pod/apisix-f9fbcd99c-lzvfq
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (No such file or directory), retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib)
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib), retry time=2
**helm uninstall apisix --namespace ops**
helm install apisix apisix-072/ --namespace ops \
--set etcd.enabled=false \
--set etcd.host={https://192.168.2.202:2379} \
--set etcd.auth.tls.enabled=true \
--set etcd.auth.tls.existingSecret=etcd-ssl-s \
**--set etcd.auth.tls.certFilename=tls.crt \
--set etcd.auth.tls.certKeyFilename=tls.key**
[root@node201 apisix]# kubectl logs pod/apisix-f44c8b9d-kbtqv -n ops
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed, retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed, retry time=2
[root@node201 apisix]#
`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] ajistyle commented on issue #173: helm install apisix 连接外部etcd https方式失败
Posted by GitBox <gi...@apache.org>.
ajistyle commented on issue #173:
URL: https://github.com/apache/apisix-helm-chart/issues/173#issuecomment-964707207
`cp etcd.pem etcd.crt
cp etcd-key.pem etcd-key.key
kubectl create secret tls etcd-ssl-s -n ops \
--cert=/opt/zhuji/helm/apisix/cert/etcd.crt \
--key=/opt/zhuji/helm/apisix/cert/etcd-key.key \
--dry-run -o yaml > etcd-ssl-s.yaml
[root@node201 apisix]# kubectl describe secret/etcd-ssl-s -n ops
Name: etcd-ssl-s
Namespace: ops
Labels: <none>
Annotations:
Type: kubernetes.io/tls
Data
====
tls.crt: 1403 bytes
tls.key: 1675 bytes
helm install apisix apisix-072/ --namespace ops \
--set etcd.enabled=false \
--set etcd.host={https://192.168.2.202:2379} \
--set etcd.auth.tls.enabled=true \
--set etcd.auth.tls.existingSecret=etcd-ssl-s \
--set etcd.auth.tls.certFilename=etcd.crt \
--set etcd.auth.tls.certKeyFilename=etcd-key.key
[root@node201 apisix]# kubectl -n ops logs pod/apisix-f9fbcd99c-lzvfq
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (No such file or directory), retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib)
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib), retry time=2
helm install apisix apisix-072/ --namespace ops \
--set etcd.enabled=false \
--set etcd.host={https://192.168.2.202:2379} \
--set etcd.auth.tls.enabled=true \
--set etcd.auth.tls.existingSecret=etcd-ssl-s \
**--set etcd.auth.tls.certFilename=tls.crt \
--set etcd.auth.tls.certKeyFilename=tls.key**
[root@node201 apisix]# kubectl logs pod/apisix-f44c8b9d-kbtqv -n ops
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed, retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed, retry time=2
[root@node201 apisix]#
`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] ajistyle edited a comment on issue #173: helm install apisix 连接外部etcd https方式失败
Posted by GitBox <gi...@apache.org>.
ajistyle edited a comment on issue #173:
URL: https://github.com/apache/apisix-helm-chart/issues/173#issuecomment-964707207
`
```
cp etcd.pem etcd.crt
cp etcd-key.pem etcd-key.key
kubectl create secret tls etcd-ssl-s -n ops \
--cert=/opt/zhuji/helm/apisix/cert/etcd.crt \
--key=/opt/zhuji/helm/apisix/cert/etcd-key.key \
--dry-run -o yaml > etcd-ssl-s.yaml
[root@node201 apisix]# kubectl describe secret/etcd-ssl-s -n ops
Name: etcd-ssl-s
Namespace: ops
Labels: <none>
Annotations:
Type: kubernetes.io/tls
Data
====
tls.crt: 1403 bytes
tls.key: 1675 bytes
```
```
helm install apisix apisix-072/ --namespace ops \
--set etcd.enabled=false \
--set etcd.host={https://192.168.2.202:2379} \
--set etcd.auth.tls.enabled=true \
--set etcd.auth.tls.existingSecret=etcd-ssl-s \
**--set etcd.auth.tls.certFilename=etcd.crt \
--set etcd.auth.tls.certKeyFilename=etcd-key.key**
[root@node201 apisix]# kubectl -n ops logs pod/apisix-f9fbcd99c-lzvfq
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (No such file or directory), retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib)
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, error loading private key (system lib), retry time=2
```
`**helm uninstall apisix --namespace ops**`
```
helm install apisix apisix-072/ --namespace ops \
--set etcd.enabled=false \
--set etcd.host={https://192.168.2.202:2379} \
--set etcd.auth.tls.enabled=true \
--set etcd.auth.tls.existingSecret=etcd-ssl-s \
**--set etcd.auth.tls.certFilename=tls.crt \
--set etcd.auth.tls.certKeyFilename=tls.key**
[root@node201 apisix]# kubectl logs pod/apisix-f44c8b9d-kbtqv -n ops
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
WARNING: using fixed Admin API token has security risk.
Please modify "admin_key" in conf/config.yaml .
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed, retry time=1
request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed
Warning! Request etcd endpoint 'https://192.168.2.202:2379/version' error, certificate verify failed, retry time=2
[root@node201 apisix]#
`
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] ajistyle commented on issue #173: helm install apisix 连接外部etcd https方式失败
Posted by GitBox <gi...@apache.org>.
ajistyle commented on issue #173:
URL: https://github.com/apache/apisix-helm-chart/issues/173#issuecomment-956048020
大佬们,帮忙瞅一眼~
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org