K
Q

Internal certificate used when installing Helm Tiller Kubernetes

1/12/2019

The error below is triggered when executing kubectl -n gitlab-managed-apps logs install-helm.

I've tried regenerating the certificates, and bypassing the certificate check. Somehow it is using my internal certificate instead of the certificate of the source.

root@dev # kubectl -n gitlab-managed-apps logs install-helm
+ helm init --tiller-tls --tiller-tls-verify --tls-ca-cert /data/helm/helm/config/ca.pem --tiller-tls-cert /data/helm/helm/config/cert.pem --tiller-tls-key /data/helm/helm/config/key.pem
Creating /root/.helm 
Creating /root/.helm/repository 
Creating /root/.helm/repository/cache 
Creating /root/.helm/repository/local 
Creating /root/.helm/plugins 
Creating /root/.helm/starters 
Creating /root/.helm/cache/archive 
Creating /root/.helm/repository/repositories.yaml 
Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com 
Error: Looks like "https://kubernetes-charts.storage.googleapis.com" is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate is valid for *.tdebv.nl, not kubernetes-charts.storage.googleapis.com

What might be the issue here? Screenshot below is the error Gitlab is giving me (not much information either).

enter image description here

-- Jordi Kroon
gitlab
kubernetes
kubernetes-helm

Similar Questions

Ingress controller nginx exclude IP from basic_auth
Is it ok that Flanneld is listening on public interface udp port 8472?
Kubernetes communication between pods using REST
Accessing service using istio ingress gives 503 error when mTLS is enabled
Cannot access Private AKS cluster from Local Machine (on home network) connected to Azure VPN
How do i change Kubernetes DiskPressure status from true to false?
Kubernetes service IP confusion

3 Answers

5/15/2020

I experienced the same issue on Kubernetes with the Calico network stack under Debian Buster.

Checking a lot of configs and parameters, I ended up with getting it to work by changing the policy for the forward rule to ACCEPT. This made it clear that the issue is somewhere around the firewall.

Running iptables -L gave me the following unveiling warning: # Warning: iptables-legacy tables present, use iptables-legacy to see them

The output given by the list command does not contain any Calico rules. Running iptables-legacy -L showed me the Calico rules, so it seems obvious now why it didn't work. So Calico seems to use the legacy interface.

The issue is the change in Debian to iptables-nft in the alternatives, you can check via:

ls -l /etc/alternatives | grep iptables

Doing the following:

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy

Now it works all fine! Thanks to Long at the Kubernetes Slack channel for pointing the route to solving it.

-- calloc_org
Source: StackOverflow
6/5/2019

After having the same issue I finally found the solution for it:

In the /etc/resolv.conf file on your Master and Worker nodes you have to search and remove the search XYZ.com entry.

If you are using Jelastic you have to remove this entry every time after a restart. It gets added by Jelastic automatically. I already contacted them so maybe they will fix it soon.

-- Fabio Widmer
Source: StackOverflow
10/4/2019

Creating "~/.helm/repository/repositories.yaml" with the following content solved the problem.

cat << EOF >> ~/.helm/repository/repositories.yaml
apiVersion: v1
repositories:
- caFile: ""
  cache: ~/.helm/repository/cache/stable-index.yaml
  certFile: ""
  keyFile: ""
  name: stable
  password: ""
  url: https://kubernetes-charts.storage.googleapis.com
  username: ""
- caFile: ""
  cache: ~/.helm/repository/cache/local-index.yaml
  certFile: ""
  keyFile: ""
  name: local
  password: ""
  url: http://127.0.0.1:8879/charts
  username: ""
EOF

#helm init
-- Madhu Kiran Seelam
Source: StackOverflow