我尝试使用 halyard 部署 Spinnaker 并遇到 clouddriver 问题。
添加了一个需要企业 CA 的企业 Docker 注册表。
Clouddriver 因以下错误而失败。
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:1.8.0_212]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:1.8.0_212]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_212]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[na:1.8.0_212]
... 100 common frames omitted
2019-08-07 04:53:14.237 ERROR 1 --- [0.0-7002-exec-3] c.n.s.k.w.e.GenericExceptionHandlers : Internal Server Error
com.netflix.spinnaker.clouddriver.core.AlwaysUpHealthIndicator$HealthIndicatorWrappedException: retrofit.RetrofitError: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.netflix.spinnaker.clouddriver.core.AlwaysUpHealthIndicator.health(AlwaysUpHealthIndicator.java:49) ~[clouddriver-core.jar:na]
at org.springframework.boot.actuate.health.CompositeHealthIndicator.health(CompositeHealthIndicator.java:95) ~[spring-boot-actuator-2.1.6.RELEASE.jar:2.1.6.RELEASE]
at org.springframework.boot.actuate.health.HealthEndpoint.health(HealthEndpoint.java:50) ~[spring-boot-actuator-2.1.6.RELEASE.jar:2.1.6.RELEASE]
at org.springframework.boot.actuate.health.HealthEndpointWebExtension.health(HealthEndpointWebExtension.java:53) ~[spring-boot-actuator-2.1.6.RELEASE.jar:2.1.6.RELEASE]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_212]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_212]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_212]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_212]
at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) ~[spring-core-5.1.8.RELEASE.jar:5.1.8.RELEASE]
at org.springframework.boot.actuate.endpoint.invoke.reflect.ReflectiveOperationInvoker.invoke(ReflectiveOperationInvoker.java:76) ~[spring-boot-actuator-2.1.6.RELEASE.jar:2.1.6.RELEASE]
at org.springframework.boot.actuate.endpoint.annotation.AbstractDiscoveredOperation.invoke(AbstractDiscoveredOperation.java:60) ~[spring-boot-actuator-2.1.6.RELEASE.jar:2.1.6.RELEASE]
at org.springframework.boot.actuate.endpoint.web.servlet.AbstractWebMvcEndpointHandlerMapping$ServletWebOperationAdapter.handle(AbstractWebMvcEndpointHandlerMapping.java:278) ~[spring-boot-actuator-2.1.6.RELEASE.jar:2.1.6.RELEASE]
因此,使用基于以下链接的公司 CA 导入的 cacerts 创建了秘密。
https://www.spinnaker.io/reference/halyard/custom/#using-custom-volumes
在 ~/.hal/default/service-settings/clouddriver.yml 中,
kubernetes:
volumes:
- id: spin-truststore
type: secret
mountPath: /app/certs/
但是,仍然得到相同的证书错误。
另外,尝试了以下方法。
添加了以下条目 ~/.hal/default/profile/clouddriver-local.yml 以及上述卷。
okHttpClient:
enabled: true
keyStore: /app/certs/cacert
keyStorePassword: changeit
trustStore: /app/certs/cacert
trustStorePassword: changeit
propagateSpinnakerHeaders: true
connectTimeoutMs: 60000
readTimeoutMs: 60000
现在,得到流太大的错误。
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [retrofit.client.OkClient]: Factory method 'okClient' threw exception; nested exception is java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) ~[spring-beans-5.1.8.RELEASE.jar:5.1.8.RELEASE]
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:622) ~[spring-beans-5.1.8.RELEASE.jar:5.1.8.RELEASE]
... 107 common frames omitted
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:599) ~[na:1.8.0_212]
at sun.security.util.DerValue.init(DerValue.java:391) ~[na:1.8.0_212]
at sun.security.util.DerValue.<init>(DerValue.java:332) ~[na:1.8.0_212]
at sun.security.util.DerValue.<init>(DerValue.java:345) ~[na:1.8.0_212]
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1938) ~[na:
更新
更新安装路径后,证书错误现在消失了,如下所示。在这里,我没有添加文件 clouddriver-local.yml。
挂载路径:/etc/ssl/certs/java
但是,现在得到不同的错误,
2019-08-07 06:09:55.364 ERROR 1 --- [ecutionAction-2] .d.r.p.a.DockerRegistryImageCachingAgent : Could not load tags for gcp-spinnaker/spinnaker-marketplace/front50 in https://docker.xyz.com
retrofit.RetrofitError: 429 Too Many Requests
at retrofit.RetrofitError.httpError(RetrofitError.java:40) ~[retrofit-1.9.0.jar:na]
at retrofit.RestAdapter$RestHandler.invokeRequest(RestAdapter.java:388) ~[retrofit-1.9.0.jar:na]
at retrofit.RestAdapter$RestHandler.invoke(RestAdapter.java:240) ~[retrofit-1.9.0.jar:na]
at com.sun.proxy.$Proxy134.getTags(Unknown Source) ~[na:na]
还有下面的错误。
Error from server (Forbidden): podsecuritypolicies.extensions is forbidden: User "XXXXXXXX" cannot list resource "podsecuritypolicies" in API group "extensions" at the cluster scope
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "XXXXXX" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
at com.netflix.spinnaker.clouddriver.kubernetes.v2.op.job.KubectlJobExecutor.list(KubectlJobExecutor.java:421) ~[clouddriver-kubernetes.jar:na]
at com.netflix.spinnaker.clouddriver.kubernetes.v2.security.KubernetesV2Credentials.lambda$list$18(KubernetesV2Credentials.java:464) ~[clouddriver-kubernetes.jar:na]
at com.netflix.spinnaker.clouddriver.kubernetes.v2.security.KubernetesV2Credentials.runAndRecordMetrics(KubernetesV2Credentials.java:598) ~[clouddriver-kubernetes.jar:na]
at com.netflix.spinnaker.clouddriver.kubernetes.v2.security.KubernetesV2Credentials.list(KubernetesV2Credentials.java:460) ~[clouddriver-kubernetes.jar:na]
at com.netflix.spinnaker.clouddriver.kubernetes.v2.caching.agent.KubernetesV2CachingAgent.lambda$loadPrimaryResourceList$0(KubernetesV2CachingAgent.java:88) ~[clouddriver-kubernetes.jar:na]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[na:1.8.0_212]
解决方案1:-
使用导入的公司证书创建自定义映像。