我正在将 django 管理命令移植到配置了服务帐户和工作负载身份的新[私有] GKE 集群。此命令使用 kubernetes API 更改集群自动缩放器上的设置。
看起来API连接需要令牌和证书。将它们捆绑在一起以创建配置;
configuration = kubernetes.client.Configuration()
configuration.api_key["authorization"] = token
configuration.api_key_prefix["authorization"] = "Bearer"
configuration.host = server
configuration.ssl_ca_cert = cert
api = kubernetes.client.AutoscalingV1Api(
kubernetes.client.ApiClient(configuration)
)
我从中移植此命令的现有项目使用令牌和证书的默认值,其定义为;
parser.add_argument(
"--cert",
action="store",
dest="cert",
default="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
help="File containing valid certificate to make request",
)
parser.add_argument(
"--token",
action="store",
dest="token",
type=argparse.FileType("r"),
default="/var/run/secrets/kubernetes.io/serviceaccount/token",
help="File containing token to make request",
)
我注意到 GKE 默认情况下不会添加这些。查看现有项目的 Pod,我可以看到
/var/run/secrets我看到的错误来自于尝试在丢失的证书上运行此命令点;
HTTPSConnectionPool(主机='10.255.240.1',端口=443):超过最大重试次数,网址:/apis/autoscaling/v1/namespaces/staging/horizontalpodautoscalers/draft-nginx(由SSLError(FileNotFoundError(2,'没有这样的)引起)文件或目录')))
我找到了关于如何安装令牌的谷歌docs。因此,它的舵位于我的模板中,并且我已经在 pod 中验证了令牌;
containers:
- name: scale-workloads
image: {{ .Values.gke_registry }}/base_python:{{ .Values.global.build }}
imagePullPolicy: Always
command:
- python -m django
args:
- scale_workloads
- --namespace={{ .Release.Namespace }}
- --appserver={{ .Values.pods.appserver.minReplicas | default 1 }}
- --nginx={{ .Values.pods.nginx.minReplicas | default 1 }}
env:
{{- include "proj.sharedEnv" $ | nindent 16 }}
- name: DJANGO_SETTINGS_MODULE
value: {{ .Values.django_settings_module }}
resources:
requests:
cpu: 1000m
memory: 500Mi
volumeMounts:
- mountPath: /etc/config
name: configs
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: ksa-token
volumes:
- name: configs
projected:
defaultMode: 420
sources:
- secret:
name: proj-secrets
- name: ksa-token
projected:
sources:
- serviceAccountToken:
path: ksa-token
expirationSeconds: 86400
audience: some-oidc-audience
但是找不到任何有关安装集群正在使用或可能正在使用的证书的类似文档。
手动运行此管理命令的堆栈跟踪显示以下内容;
File "/usr/src/app/drafty/core/management/commands/scale_workloads.py", line 198, in scale_pods
api.patch_namespaced_horizontal_pod_autoscaler(
File "/usr/local/lib/python3.11/site-packages/kubernetes/client/api/autoscaling_v1_api.py", line 983, in patch_namespaced_horizontal_pod_autoscaler
return self.patch_namespaced_horizontal_pod_autoscaler_with_http_info(name, namespace, body, **kwargs) # noqa: E501
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/kubernetes/client/api/autoscaling_v1_api.py", line 1098, in patch_namespaced_horizontal_pod_autoscaler_with_http_info
return self.api_client.call_api(
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/kubernetes/client/api_client.py", line 348, in call_api
return self.__call_api(resource_path, method,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/kubernetes/client/api_client.py", line 180, in __call_api
response_data = self.request(
^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/kubernetes/client/api_client.py", line 407, in request
return self.rest_client.PATCH(url,
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/kubernetes/client/rest.py", line 296, in PATCH
return self.request("PATCH", url,
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/kubernetes/client/rest.py", line 169, in request
r = self.pool_manager.request(
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/urllib3/request.py", line 78, in request
return self.request_encode_body(
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/urllib3/request.py", line 170, in request_encode_body
return self.urlopen(method, url, **extra_kw)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/urllib3/poolmanager.py", line 376, in urlopen
response = conn.urlopen(method, u.request_uri, **kw)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 826, in urlopen
return self.urlopen(
^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 826, in urlopen
return self.urlopen(
^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 826, in urlopen
return self.urlopen(
^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 798, in urlopen
retries = retries.increment(
^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/urllib3/util/retry.py", line 592, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.255.240.1', port=443): Max retries exceeded with url: /apis/autoscaling/v1/namespaces/staging/horizontalpodautoscalers/draft-nginx (Caused by SSLError(FileNotFoundError(2, 'No such file or directory')))