通过 Helm 安装 ingress-nginx - 检索密码时出错答案

【问题标题】：Installing ingress-nginx via Helm - error retrieving secret通过 Helm 安装 ingress-nginx - 检索密码时出错
【发布时间】：2021-11-05 20:03:45
【问题描述】：

我们正在尝试按照Azure documentation 中的步骤将ingress-nginx 控制器安装到 Azure Kubernetes 服务 (AKS) 集群。

Kubernetes 版本：1.21.1 图表版本：3.36。

我们正在使用的命令：

SET REGISTRY_NAME=
SET ACR_URL=%REGISTRY_NAME%.azurecr.io
SET CONTROLLER_REGISTRY=k8s.gcr.io
SET CONTROLLER_IMAGE=ingress-nginx/controller
SET CONTROLLER_TAG=v0.48.1
SET PATCH_REGISTRY=docker.io
SET PATCH_IMAGE=jettech/kube-webhook-certgen
SET PATCH_TAG=v1.5.1
SET DEFAULTBACKEND_REGISTRY=k8s.gcr.io
SET DEFAULTBACKEND_IMAGE=defaultbackend-amd64
SET DEFAULTBACKEND_TAG=1.5

SET NAMESPACE=ingress-basic

kubectl create namespace %NAMESPACE%
kubectl apply -n %NAMESPACE% -f .\limitRanges.yaml

helm install nginx-ingress ingress-nginx/ingress-nginx ^
    --namespace %NAMESPACE% ^
    --version 3.36.0 ^
    --set controller.replicaCount=2 ^
    --set controller.nodeSelector."kubernetes\.io/os"=linux ^
    --set controller.image.registry=%ACR_URL% ^
    --set controller.image.image=%CONTROLLER_IMAGE% ^
    --set controller.image.tag=%CONTROLLER_TAG% ^
    --set controller.image.digest="" ^
    --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux ^
    --set controller.admissionWebhooks.patch.image.registry=%ACR_URL% ^
    --set controller.admissionWebhooks.patch.image.image=%PATCH_IMAGE% ^
    --set controller.admissionWebhooks.patch.image.tag=%PATCH_TAG% ^
    --set controller.admissionWebhooks.patch.image.digest="" ^
    --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux ^
    --set defaultBackend.image.registry=%ACR_URL% ^
    --set defaultBackend.image.image=%DEFAULTBACKEND_IMAGE% ^
    --set defaultBackend.image.tag=%DEFAULTBACKEND_TAG% ^
    --set defaultBackend.image.digest="" ^
    -f internal-load-balancer.yaml ^
    --debug

运行时，输出为：

install.go:173: [debug] Original chart version: "3.36.0"
install.go:190: [debug] CHART PATH: C:\Users\......\AppData\Local\Temp\helm\repository\ingress-nginx-3.36.0.tgz

client.go:290: [debug] Starting delete for "nginx-ingress-ingress-nginx-admission" ServiceAccount
client.go:319: [debug] serviceaccounts "nginx-ingress-ingress-nginx-admission" not found
client.go:128: [debug] creating 1 resource(s)
client.go:290: [debug] Starting delete for "nginx-ingress-ingress-nginx-admission" ClusterRole
client.go:128: [debug] creating 1 resource(s)
client.go:290: [debug] Starting delete for "nginx-ingress-ingress-nginx-admission" ClusterRoleBinding
client.go:128: [debug] creating 1 resource(s)
client.go:290: [debug] Starting delete for "nginx-ingress-ingress-nginx-admission" Role
client.go:319: [debug] roles.rbac.authorization.k8s.io "nginx-ingress-ingress-nginx-admission" not found
client.go:128: [debug] creating 1 resource(s)
client.go:290: [debug] Starting delete for "nginx-ingress-ingress-nginx-admission" RoleBinding
client.go:319: [debug] rolebindings.rbac.authorization.k8s.io "nginx-ingress-ingress-nginx-admission" not found
client.go:128: [debug] creating 1 resource(s)
client.go:290: [debug] Starting delete for "nginx-ingress-ingress-nginx-admission-create" Job
client.go:319: [debug] jobs.batch "nginx-ingress-ingress-nginx-admission-create" not found
client.go:128: [debug] creating 1 resource(s)
client.go:519: [debug] Watching for changes to Job nginx-ingress-ingress-nginx-admission-create with timeout of 5m0s
client.go:547: [debug] Add/Modify event for nginx-ingress-ingress-nginx-admission-create: ADDED
client.go:586: [debug] nginx-ingress-ingress-nginx-admission-create: Jobs active: 0, jobs failed: 0, jobs succeeded: 0
client.go:547: [debug] Add/Modify event for nginx-ingress-ingress-nginx-admission-create: MODIFIED
client.go:586: [debug] nginx-ingress-ingress-nginx-admission-create: Jobs active: 1, jobs failed: 0, jobs succeeded: 0

如果我查看作业 nginx-ingress-ingress-nginx-admission-create 的 pod 日志，我会看到以下日志：

W0909 06:34:24.393154       1 client_config.go:608] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
{"err":"an error on the server (\"\") has prevented the request from succeeding (get secrets nginx-ingress-ingress-nginx-admission)","level":"fatal","msg":"error getting secret","source":"k8s/k8s.go:109","time":"2021-09-09T06:34:34Z"}

我有点不知道在哪里寻找更多信息。我可以看到该错误似乎与获取秘密有关，而在 kubectl get secrets -A 命令下我看不到该秘密。我假设 \"\" 部分应该是错误消息，但它没有帮助。

我已经能够在一个全新的一次性集群上成功安装此图表。我的猜测是这是一个 RBAC 或权限类型问题，但没有任何关于在哪里查看的进一步信息，我没有想法。

【问题讨论】：

标签： kubernetes kubernetes-helm azure-aks nginx-ingress

【解决方案1】：

您需要引用这些值。我还建议简化代码 bcs 默认情况下在 Helm Chart of ingress-nginx 中设置所有值：

SET NAMESPACE=ingress-basic

kubectl create namespace %NAMESPACE%
kubectl apply -n %NAMESPACE% -f .\limitRanges.yaml

helm install nginx-ingress ingress-nginx/ingress-nginx ^
    --namespace %NAMESPACE% ^
    --version "4.0.1" ^
    -set controller.replicaCount="2" ^
    -f internal-load-balancer.yaml ^
    --debug

【讨论】：

感谢@Philip Welz 的反馈。我已经按照您的建议调整了命令（仔细检查值）。我仍然需要.image.registry 值，因为我们使用的是私有注册表，而不是默认值。我现在在容器日志中看到一条略有不同的错误消息：{"err":"Get \"https://10.16.0.1:443/api/v1/namespaces/ingress-basic/secrets/nginx-ingress-ingress-nginx-admission\": EOF","level":"fatal","msg":"error getting secret","source":"k8s/k8s.go:110","time":"2021-09-10T00:06:42Z"}
limitRanges.yaml 有什么作用？您还可以检查秘密是否存在-> kubectl -n ingress-basic 获取秘密 nginx-ingress-ingress-nginx-admission
limitRanges.yaml 设置了一些默认/最小/最大 CPU 和内存限制。我们的集群强制对每个项目始终指定限制，因此如果没有这些限制，则根本不会安排作业。我查过这个秘密，它不存在。我只有一个default-token-xxxxx、nginx-ingress-ingress-nginx-admission-token-xxxxx 和一个sh.helm.release.... 秘密。
我建议将所有设置移至 values.yaml 并执行 -> helm upgrade -i ingress-nginx ingress-nginx/ingress-nginx —namespace %NAMESPACE% -f values.yaml -f internal-load-balancer.yaml
感谢@Philip Welz 的提示。我已经进行了这些更改，但仍然没有获得录取创建工作。