I am trying to connect my Spring Cloud Config to a repo on AWS CodeCommit using HTTPS but I keep getting an error saying Cannot clone or checkout repository.
This is what I have done so far:
Created a user in AWS IAM and generated HTTPS GIT username and password credentials.
Added the AWS CodeCommit git URL and user credentials into the application.yml file
server:
port: 8888
spring:
cloud:
config:
discovery:
enabled: true
server:
encrypt.enabled: false
git:
uri: https://git-codecommit.eu-west-2.amazonaws.com/v1/repos/XXXXX
username: XXXXXXXXXX
password: XXXXXXXXXX
Added the AWS java-sdk-core library as a build dependency.
Is there anything else I need to do?
Document encrypt.* values need to go in bootstrap.{yml|properites}
Related
Im new with Nexus Repository ( using OSS 3.37 in RHEL 7.7). Im trying to add a simple Yum repo. What i do:
Name: TestRepo
Proxy > Remote Storage: "http://mirror.centos.org/centos/"
Storage > Blob Store: "default"
Finally URL to access will be http://<IP_OF_NEXUS>:8081/repository/TestRepo/
When i try to access by using the URL i got:
*This yum proxy repository is not directly browseable at this URL.*
I found in DOC from Sonatype web same steps that i made.
I made the same steps using a APT repo and i can access using http://<IP_OF_NEXUS>:8081/repository/UbuntuRepo/
Config:
Name: UbuntuRepo
Proxy > Remote Storage: "http://archive.ubuntu.com/ubuntu/"
Storage > Blob Store: "default"
As described by bitckets, now personal access tokens are free from user. And can be used as bearer tokens to access repositories.
But I couldn't find any way to configure bearer tokens inplace of username and password in spring cloud config server.
spring:
cloud:
config:
server:
git:
uri: https://my-bicket.com/bu/myrepo.git
username: my-username
password: my-token
Is it supported by spring cloud config server.
I have setup a kubernetes cluster from scratch. This just means I did not use services provided by others, but used the k8s installer it self. Before we used to have other clusters, but with providers and they give you tls cert and key for auth, etc. Now this cluster was setup by myself, I have access via kubectl:
$ kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 21h
$
I also tried this and I can add a custom key, but then when I try to query via curl I get pods is forbidden: User "system:anonymous" cannot list resource "pods" in API group "" at the cluster scope.
I can not figure out where can I get the cert and key for a user to authenticate using the API for tls auth. I have tried to understand the official docs, but I have got nowhere. Can someone help me find where those files are or how to add or get certificates that i can use for the rest API?
Edit1: my .kube.config file looks like this:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0t(...)=
server: https://private_IP:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin#kubernetes
current-context: kubernetes-admin#kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS(...)Qo=
client-key-data: LS0(...)tCg==
It works from the localhost just normally.
In the other hand I noticed something. From the localhost I can access the cluster by generating the token using this method.
Also notice that for now I do not mind about creating multiple roles for multiple users, etc. I just need access to the API from remote and can be using "default" authentication or roles.
Now when I try to do the same from remote I get the following:
I tried using that config to run kubectl get all from remote, it runs for a while and then ends in Unable to connect to the server: dial tcpprivate_IP:6443: i/o timeout.
This happens because the config has private_IP, then I changed the IP to Public_IP:6443 and now get the following : Unable to connect to the server: x509: certificate is valid for some_private_IP, My_private_IP, not Public_IP:6443
Keep present that this is and AWS ec2 instance with elastic IP (You can think of Elastic IP as just a public IP on a traditional setup, but this public ip is on your public router and then this router routes requests to your actual server on private network). For AWS fans like I said, I can not use the EKS service here.
So how do I get this to be able to use the Public IP?
It seems your main problem is the TLS server certificate validation.
One option is to tell kubectl to skip the validation of the server certificate:
kubectl --insecure-skip-tls-verify ...
This has obviously the potential to be "insecure", but that depends on your use case
Another option is to recreate the cluster with the public IP address added to the server certificate. And it should also be possible to recreate only the certificate with kubeadm without recreating the cluster. Details about the latter two points can be found in this answer.
You need to setup RBAC for the user. define roles and rolebinding. follow the link for reference -> https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
I am trying s3cmd from command line and when i am configuring using s3cmd --configure following lines of information its asking me. I know I am giving proper Access Key and Secret key. But I think the problem is with Default Region: Mumbai or S3 Endpoint: ap-south-1.amazonaws.com or
DNS-style bucket+hostname:port template for accessing a bucket:. My S3 bucket is in Mumbai, India.
Access Key: ASOMETHINGJFDGERCEMUA
Secret Key: 5q2tbwdf43/sdfsdfsdf/AopqPd73QaiN4fr3e3fv8wE
Default Region: Mumbai
S3 Endpoint: ap-south-1.amazonaws.com
DNS-style bucket+hostname:port template for accessing a bucket: %(bucket)s.s3.ap-south-1.amazonaws.com
Encryption password:
Path to GPG program: None
Use HTTPS protocol: True
HTTP Proxy server name:
HTTP Proxy server port: 0
Error:
ERROR: Test failed: [Errno 8] nodename nor servname provided, or not known
For Asia Pacific (Mumbai), use the following values.
Region: ap-south-1
S3 Endpoint: s3.ap-south-1.amazonaws.com
Refer here for the complete list of S3 Endpoints.
Note: Check whether your version of s3cmd supports Signature Version 4.
Prefer Aws CLI over S3cmd.
I'm trying to do a simple build of a nodejs app I wrote in OpenShift Origin using the following yaml:
kind: "BuildConfig"
apiVersion: "v1"
metadata:
name: "dyn-kickstart"
spec:
triggers:
- type: "GitHub"
github:
secret: "secret101"
source:
git:
uri: git#bitbucket.org:serverninja02/dynamic-kickstart.git
sourceSecret:
name: "github"
strategy:
type: Docker
dockerStrategy:
dockerfilePath: .
forcePull: true
noCache: true
output:
to:
kind: "DockerImage"
name: "docker-registry-default.apps.reedfamily.local/serverninja/dynamic-kickstart:v0.0.1
The command I'm running to create the build:
$ cat dynamic-kickstart.yml | oc create -f -
What I'm running into is that the build service account doesn't seem to be able to access the github url to clone:
Cloning "git#bitbucket.org:serverninja02/dynamic-kickstart.git" ...
error: build error: Warning: Permanently added 'bitbucket.org,192.168.1.81' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I did follow the instructions on creating the ssh-privatekey secret, placing in the secret store, and linking to the build sa. I also double-checked that key and tested through ssh forwarding that I can log into the OpenShift node and ssh git#bitbucket.org.
I'm not sure what I'm doing wrong but even with using the http git url and making it a public repo, it still doesn't work as it complains about the peer certificate not being trusted:
Cloning "https://serverninja02#bitbucket.org/serverninja02/dynamic-kickstart.git" ...
error: build error: fatal: unable to access 'https://serverninja02#bitbucket.org/serverninja02/dynamic-kickstart.git/': Peer's certificate issuer has been marked as not trusted by the user.
At this point, I'm unsure where to go with this as OpenShift Origin doesn't seem to want to build anything from git as a source.
Any help or suggestions would be greatly appreciated!
OpenShift Version: 1.3.0
OpenShift Kubernetes Version: v1.3.0+52492b4
This is a flat network behind a router. DNS is on Active Directory with a wildcard entry for *.apps.reedfamily.local.
This is a test bed environment in a .local domain. However I'm using this build to potentially build this out as a POC for my company to host OpenShift.
I figured out the answer to my problem!!! So I'll share:
The /etc/resolv.conf was configured automatically during the build of my OpenShift nodes when I ran openshift-ansible. Unfortunately, there was a search domain placed in /etc/resolv.conf that must have been causing issues.
# Generated by NetworkManager
search apps.reedfamily.local
nameserver 192.168.1.40
Once I removed "search apps.reedfamily.local", that fixed the problem immediately on the next build!