将 Google 云服务帐户文件传递给 traefik

Question

As per https://docs.traefik.io/configuration/acme/

I've created a secret like so:

kubectl --namespace=gitlab-managed-apps create secret generic traefik-credentials \\ --from-literal=GCE_PROJECT=<id> \\ --from-file=GCE_SERVICE_ACCOUNT_FILE=key.json \\

And passed it to the helm chart by using: --set acme.dnsProvider.$name=traefik-credentials

However I am still getting the following error:

{"level":"error","msg":"Unable to obtain ACME certificate for domains \"traefik.my.domain.com\" detected thanks to rule \"Host:traefik.my.domain.com\" : cannot get ACME client googlecloud: Service Account file missing","time":"2019-01-14T21:44:17Z"}

Answer 1

I don't know why/if traefik uses GCE_SERVICE_ACCOUNT_FILE variable. All Google tooling and 3rd party integrations use GOOGLE_APPLICATION_CREDENTIALS environment variable for that purpose (and all Google API clients automatically pick up this variable). So looks like traefik might have done a poor decision here calling it something else.

I recommend you look at the Pod spec of the traefik pod (fields volumes and volumeMounts to see if the Secret is mounted to the pod correctly).

If you follow this tutorial https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform you can learn how to mount IAM Service accounts to any Pod. So maybe you can combine this with the Helm chart itself and figure out what you need to do to make this work.