[caasp-beta] [Newsletter] Re: RE : kubectl requires username and password
Robert Roland
rroland at suse.com
Tue Oct 3 14:23:32 MDT 2017
No, Dex does not run on the admin node. It runs as pods distributed across your cluster. OpenLDAP runs on the admin node.
>>> Liam McCafferty <Liam.McCafferty at smartodds.co.uk> 10/03/17 12:24 PM >>>
If I remember correctly dex runs on the cassp admin node. Any luck finding it there?
Sent from Blue
On 3 Oct 2017, at 7:45 pm, "Ns, Rushi" <rushi.ns at sap.com> wrote: Hi Robert,
I don’t think bootstrap failed as the cluster completed without any errors and VELUM shows all active.
Also on the master node, I see that dex.yaml and roles.yaml which all exist but not sure if the PODS running ..
In a worst case I will try to rebuild the cluster to see if it works. By the way , in which node the DEX was running, I checked all my ndoes and I can’t find DEX running as POD ?
lvsusekub5:~ # ls -ltr
total 16
drwxr-xr-x 1 root root 0 Jun 27 08:59 bin
drwxr-xr-x 1 root root 36 Sep 26 02:13 inst-sys
-rw-r--r-- 1 root root 156 Sep 26 04:18 flannel-config.json
-rw-r--r-- 1 root root 3034 Sep 26 04:19 dex.yaml
-rw-r--r-- 1 root root 1161 Sep 26 04:19 roles.yaml
-rw-r--r-- 1 root root 3295 Oct 3 18:37 kubeconfig
Best Regards,
Rushi.
I MAY BE ONLY ONE PERSON, BUT I CAN BE ONE PERSON WHO MAKES A DIFFERENCE
From: Robert Roland <rroland at suse.com>
Date: Tuesday, October 3, 2017 at 11:38 AM
To: "caasp-beta at lists.suse.com" <caasp-beta at lists.suse.com>, "DElder at novacoast.com" <DElder at novacoast.com>, Rushi NS <rushi.ns at sap.com>, Paul Gonin <PGonin at suse.com>, Rob de Canha-Knight <rob.decanha-knight at suse.com>
Subject: Re: [caasp-beta] [Newsletter] Re: RE : kubectl requires username and password
That "Forbidden" error implies that your cluster bootstrap didn't complete successfully. Please submit a bug with a full supportconfig dump.
Dex is set up by the bootstrap process. This error means that one of the steps in setting up Dex failed.
Thanks,
Rob
>>> "Ns, Rushi" <rushi.ns at sap.com> 10/03/17 11:16 AM >>>
Hi Paul,
Thank you . I have tried the same one with latest caasp-cli and the result is same. FYI, I setup 3 masters with 6 workers and I tried all 3 masters hostname one by one with the command line caasp-cli but nothing is really working.
Do I have to setup any DEX container on the cluster ? or it does embedded part of it and why it is asking me DEX”
caasp-cli login -s https://hostname:6443 -u rushi at id.com -p xxxxxx
Error: unable to find Dex service in CaaS Platform cluster, error was Get https://hostname:6443/api/v1/namespaces/kube-system/services/dex: Forbidden
Best Regards,
Rushi.
I MAY BE ONLY ONE PERSON, BUT I CAN BE ONE PERSON WHO MAKES A DIFFERENCE
From: Paul Gonin <paul.gonin at suse.com>
Date: Tuesday, October 3, 2017 at 8:55 AM
To: Rob de Canha-Knight <rob.decanha-knight at suse.com>, Rushi NS <rushi.ns at sap.com>, "caasp-beta at lists.suse.com" <caasp-beta at lists.suse.com>, Dan Elder <DElder at novacoast.com>
Subject: Re: [caasp-beta] [Newsletter] Re: RE : kubectl requires username and password
Hi,
You need to check that between master node and admin node the port 389 is open - for example if you're using OpenStack you need the check that the security group is properly defined to allow this port
rgds
Paul
Le mardi 03 octobre 2017 à 15:17 +0000, Rob de Canha-Knight a écrit :
Rushi.
The details I provided below on caasp-cli is how I’ve been using caasp-cli since day one.
I’ve just tried again on a new cluster and running
caasp-cli login -s https://master.caaspdemo.geeko.ninja:6443 -u rob.decanha-knight at suse.com -p mypassword
Where I don’t have any other documents to hand (other than the attached) around logging in so all I can personally suggest is to make sure you’re using https and port 6443 of the kubernetes master after -s.
I’ve also attached the main bit of documentation we have around the caasp-cli client (which will make it’s way into the version 2 final release).
I would suggest trying again from scratch with a new cluster instance of RC1 (including downloading and installing the updated caasp-cli client available from https://github.com/kubic-project/caasp-cli/releases as this one is working fine for me).
Make a note of every command you are running and the output it provides and you can send those details to this list as at the moment the information in the thread is a bit scattered and I can’t tell accurately what’s going on or what’s being done by the user.
Yes there are a lot of changes in this release mainly an updated k8s version and a feature much requested by customers (I remember during 1.0 betas you also requested for user management and this is how we’ve implemented it). I’ve also attached the details on how to create/manage additional user accounts through ldap as well as the caasp-cli guidance that we have.
As one of our closest partners you also have the option of reaching out to your partner sales engineer/rep for your region and discussing it directly with them. They should be able to go onsite and help you if asked to get things up and running for your team.
All the best,
Rob
----
Rob de Canha-Knight
EMEA Platform and Management Technical Strategist
SUSE
rob.decanha-knight at suse.com
(Fuze/VOIP) +44 (0) 1635 937689
(M) +44 (0) 7392 087303
(TW) rssfed23
----
From: "Ns, Rushi" <rushi.ns at sap.com>
Date: Tuesday, 3 October 2017 at 16:07
To: "caasp-beta at lists.suse.com" <caasp-beta at lists.suse.com>, Dan Elder <DElder at novacoast.com>, Rob de Canha-Knight <rob.decanha-knight at suse.com>
Subject: Re: [caasp-beta] [Newsletter] Re: RE : kubectl requires username and password
Hi Rob,
Whatever you have mentioned is not really working in reality. Using CAASP-cli is not at all authenticating and I spent 2 days to find a way to connect to cluster.
VELUM is fine, I can logon with registed email but nothing can be done after that such as installing kubernetes dashboard is not ? first of all need to know how to connect with CAASP-CLI because there is no users created other than VELUM web login which was registered.
Can you provide some steps how you have doing with caasp-cli..i see lot of things changed on this new release.
Best Regards,
Rushi.
I MAY BE ONLY ONE PERSON, BUT I CAN BE ONE PERSON WHO MAKES A DIFFERENCE
From: <caasp-beta-bounces at lists.suse.com> on behalf of Rob de Canha-Knight <rob.decanha-knight at suse.com>
Date: Tuesday, October 3, 2017 at 6:57 AM
To: Dan Elder <DElder at novacoast.com>, "caasp-beta at lists.suse.com" <caasp-beta at lists.suse.com>
Subject: Re: [caasp-beta] [Newsletter] Re: RE : kubectl requires username and password
Hi Dan.
In the log you’ve provided you’re using the admin server for the –s argument I believe.
You must use https://<your-master-fqdn>:8443 as the address for the k8s master node (noting correct port and https).
Please let us know how you get on.
Rob
----
Rob de Canha-Knight
EMEA Platform and Management Technical Strategist
SUSE
rob.decanha-knight at suse.com
(Fuze/VOIP) +44 (0) 1635 937689
(M) +44 (0) 7392 087303
(TW) rssfed23
----
From: <caasp-beta-bounces at lists.suse.com> on behalf of Dan Elder <DElder at novacoast.com>
Date: Tuesday, 3 October 2017 at 05:15
To: "caasp-beta at lists.suse.com" <caasp-beta at lists.suse.com>
Subjec I haven't had any luck authentication with caasp-cli unfortunately. The credentials I supply work fine for Velum but caasp-cli says they're invalid (output attached). Is there some log I can pull from the admin node or somewhere else to troubleshoot this? I've done 2 installs and gotten the same result both times.
Thanks,
Dan
On 09/27/2017 08:04 AM, Paul Gonin wrote:
Hi,
It should be on the media so you can install it on the admin node
It is installed by default on admin node.
You can also get (currently) rpms for different openSUSE/SUSE flavors
https://build.opensuse.org/repositories/devel:CaaSP:Head:ControllerNode/caasp-cli
And there is also a windows Build from Rob
https://github.com/rssfed23/caasp-cli-windows/releases
Tested / works but not supported (yet, but I assume to come)
Once you have caasp-cli
export KUBECONFIG=<pathtokubeconfig> (set KUBECONFIG=kubeconfig in windows cmd shell)
caasp-cli login -u caasp-user -p caasp-password -s https://caasp.fqdn:6443
and then you can use kubectl as previously
For caasp-user and caasp-password you can use caasp admin credentials.
You can also create users in local ldap
rgds
Paul
Le mercredi 27 septembre 2017 à 14:52 +0000, Ns, Rushi a écrit :
Thanks, where can I download . I see from github I can’t download the link .
https://github.com/kubic-project/caasp-cli
Best Regards,
Rushi.
I MAY BE ONLY ONE PERSON, BUT I CAN BE ONE PERSON WHO MAKES A DIFFERENCE
From: Paul Gonin <pgonin at suse.com>
Date: Tuesday, September 26, 2017 at 1:31 PM
To: "caasp-beta at lists.suse.com" <caasp-beta at lists.suse.com>, Rushi NS <rushi.ns at sap.com>
Subject: RE : [caasp-beta] kubectl requires username and password
Hi,
With RC1, RBAC is available
Consequence is that you have to use caasp-ctl to login to CaaSP and modify your kubectl and inject credentials in it.
Rgds
Paul
-------- Message d'origine --------
De : "Ns, Rushi" <rushi.ns at sap.com>
Date : 26/09/2017 22:04 (GMT+01:00)
À : SUSE Beta Program <beta-programs at lists.suse.com>, caasp-beta at lists.suse.com
Objet : [caasp-beta] kubectl requires username and password
>>> "Ns, Rushi" 09/26/2017 21:04 >>>
Hi
I setup new cluster with this release and everything worked. I have 3 masters/10 workers ..looks fine VELUM web page as well and I have downloaded kubeconfig and tried to do some workload test but issue with access cluster.
I have issue with using KUBECTL command line ..whatever “kubectl” I run requires permission. I setup velum with my userid email and password, I thought it requires that and I tried but its not ?
I have also tried root (linux) master/workers but it doesn’t take that too?
Does anyone know what is the issue.
kubectl get cluster-info
kubectl get nodes
Please enter Username: rushi.ns at sap.com
Please enter Password: *********
Error from server (Forbidden): User "system:anonymous" cannot list nodes at the cluster scope. (get nodes)
kubectl get nodes
Please enter Username: admin
Please enter Password: ********
Unable to connect to the server: x509: certificate is valid for 172.24.0.1, 172.16.18.0, 127.0.0.1, 172.16.18.1, 10.48.164.142, not 10.48.164.144
kubectl get nodes
Please enter Username: root
Please enter Password: ********
Unable to connect to the server: x509: certificate is valid for 172.24.0.1, 172.16.22.0, 127.0.0.1, 172.16 From: <caasp-beta-bounces at lists.suse.com> on behalf of SUSE Beta Program <beta-programs at lists.suse.com>
Reply-To: SUSE Beta Program <beta-programs at lists.suse.com>
Date: Friday, September 22, 2017 at 7:48 AM
To: "caasp-beta at lists.suse.com" <caasp-beta at lists.suse.com>
Subject: [caasp-beta] [ANNOUNCE] SUSE Container as a Service Platform 2 RC 1 is available!
Having trouble viewing this email? Please check the plain text version of it with your mailer.
We are happy to announce SUSE CaaS Platform 2 Release Candidate 1!
Download ›
Please check out our dedicated SUSE CaaS Platform Beta web page, where you will find all the information needed around SUSE CaaS Platform Beta.
What’s New with SUSE CaaS Platform 2 RC 1?
* K8s Multi-Master: Kubernetes Multi Master for building High-Availability clusters.
* caasp-cli: It's the new command line client for interacting with a CaaS Platform cluster. See for details.
* Dex: Dex is an identity service that uses OpenID Connect to drive authentication for other apps. See for details.
* OpenLDAP2: OpenLDAP2 running on an SLE12 container guest.
Things to consider for this Beta?
* DHCP
Your DHCP server should provide resolveable hostnames. If this is not the case like with libvirt/KVM, you should consider providing one yourself by appending this kernel parameter "hostname=HOSTNAME" during installation.
However, the kubeconfig file downloaded from the Dashboard could contain an incorrect "server" hostname that should be replaced with the IP address of your Master. For more information read: https://en.opensuse.org/SDB:Linuxrc#Network_Configuration
* Autoyast/VMX-Images
If you install via autoyast or one of the provided VMX beta images (KVM,Xen,VMware,...) please set a password or SSH key via cloud-init to be able to login.
Release plan ›
Release Notes ›
Documentation ›
Have fun beta testing!
Your SUSE Linux Enterprise Team
Please refer to our dedicated SUSE CaaSP Beta Program webpage for any general information. However, do not hesitate to contact us at beta-programs at lists.suse.com if you have any questions.
You received this email because you're signed up to get updates from us. Click here to unsubscribe.
_______________________________________________
caasp-beta mailing list
caasp-beta at lists.suse.com
http://lists.suse.com/mailman/listinfo/caasp-beta
_______________________________________________
caasp-beta mailing list
caasp-beta at lists.suse.com
http://lists.suse.com/mailman/listinfo/caasp-beta
--
Senior Engineer
Linux Services Manager
Novacoast, Inc.
Mobile: (310) 243-6971
Office: (800) 949-9933 x1337
http://www.novacoast.com/
_______________________________________________
caasp-beta mailing list
caasp-beta at lists.suse.com
http://lists.suse.com/mailman/listinfo/caasp-beta
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
This e-mail and any files transmitted with it are confidential and may be legally privileged. If you receive it in error or are not the intended recipient you must not copy, distribute or take any action in reliance upon it. Instead, please notify us immediately by telephoning +44 (20) 74820223 and delete the material from your systems. Smartodds is a business carried on by Smartodds Limited, a company registered with the Registrar of Companies for England and Wales with number 05108548. Registered office: Unit 540 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
This e-mail and any files transmitted with it are confidential and may be legally privileged. If you receive it in error or are not the intended recipient you must not copy, distribute or take any action in reliance upon it. Instead, please notify us immediately by telephoning +44 (20) 74820223 and delete the material from your systems. Smartodds is a business carried on by Smartodds Limited, a company registered with the Registrar of Companies for England and Wales with number 05108548. Registered office: Unit 531 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
More information about the caasp-beta
mailing list