jetstack
the server has asked for the client to provide credentials error
I'm getting the follow error (and all that is in the logs) when the pod starts. I assume this is when kube-lego tries to talk to my kube-api
2016-10-18T00:28:29.478223138Z time="2016-10-18T00:28:29Z" level=info msg="kube-lego 0.1.2-03c268d7 starting" context=kubelego
2016-10-18T00:28:29.513084276Z time="2016-10-18T00:28:29Z" level=fatal msg="the server has asked for the client to provide credentials" context=kubelego
Interesting issue, can you provide the cli flags you run your API server with?
It looks like you requiring cert auth against Kubernetes API
"the server has asked for the client to provide credentials"
this can be triggered by an invalid service account. Please check the certificate is not expired.
I use certs for all communication with the API server.
I can't see a way to use certs, or use a kubeconfig file, with kube-lego if it's possible?
My kube api flags are
image: quay.io/coreos/hyperkube:v1.4.1_coreos.0
command:
- /hyperkube
- apiserver
- --bind-address=0.0.0.0
- --etcd-servers=https://127.0.0.1:2379
- --allow-privileged=true
- --service-cluster-ip-range=10.3.0.0/24
- --secure-port=443
- --advertise-address={{.node.ip_v4.private}}
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
- --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
- --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --client-ca-file=/etc/kubernetes/ssl/ca.pem
- --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --runtime-config=extensions/v1beta1=true,extensions/v1beta1/networkpolicies=true
- --etcd-cafile=/etc/ssl/etcd/ca.pem
- --etcd-certfile=/etc/ssl/etcd/etcd.pem
- --etcd-keyfile=/etc/ssl/etcd/etcd-key.pem
@lukesmith have you tried to mount a kubeconfig file using a secret to /root/.kube/config?
It think this is preventing it from working: https://github.com/jetstack/kube-lego/blob/master/pkg/kubelego/kube.go#L23
But it would be good to make that work..
