云存储无法在生产环境中管理文件,oauth2:无法获取令牌。

huangapple
go评论79阅读模式
英文:

Cloud Storage can't manage files in production, oauth2: cannot fetch token

问题

我正在将我的Go项目作为scratch镜像上传到GKE。按照这个教程,使用一个密钥作为secret来传递我的服务账号。我的部署通过Ingress暴露,并且Google为应用程序端点生成了一个受信任的SSL证书。该密钥具有Storage Object Admin角色。

在我的计算机上,服务账号密钥可以正常工作,但在GKE上,它会抛出以下错误,导致无法上传或下载文件。

# 上传
Post "https://storage.googleapis.com/upload/storage/v1/b/1.0.0.0/o?alt=json&name=cloud%2Ftest%-e7c7-4e9a--9a75d&prettyPrint=false&projection=full&uploadType=multipart": oauth2: 无法获取令牌: Post "https://oauth2.googleapis.com/token": x509: 由未知机构签名的证书

# 下载
Get "https://storage.googleapis.com/1.0.0.0/folder/test/4e882f59.png": oauth2: 无法获取令牌: Post "https://oauth2.googleapis.com/token": x509: 由未知机构签名的证书

我还阅读了这篇帖子,错误似乎相似,但即使使用alpine镜像并安装ca-certificates也无法解决问题。

英文:

I'm uploading my Go project to GKE as a scratch image. Following this tutorial to deliver my service account key using a secret. My deployment is exposed by a Ingress and Google generate a trusted SSL Certificate for the application endpoint. The key has Storage Object Admin role.

On my computer the service account key works but on GKE it throws the following error and I can't upload or download files.

# UPLOAD
Post "https://storage.googleapis.com/upload/storage/v1/b/1.0.0.0/o?alt=json&name=cloud%2Ftest%-e7c7-4e9a--9a75d&prettyPrint=false&projection=full&uploadType=multipart": oauth2: cannot fetch token: Post "https://oauth2.googleapis.com/token": x509: certificate signed by unknown authority

# DOWNLOAD
Get "https://storage.googleapis.com/1.0.0.0/folder/test/4e882f59.png": oauth2: cannot fetch token: Post "https://oauth2.googleapis.com/token": x509: certificate signed by unknown authority

I also read this post, the error seems to be similar but it didn't work either using an alpine image and installing ca-certificates

答案1

得分: 0

解决方案

我缺少了update-ca-certificates命令,这是我的Dockerfile,希望对某人有帮助

RUN apk add --no-cache ca-certificates && update-ca-certificates

完整的Dockerfile

# BUILD STAGE
FROM golang:1.18.5-alpine3.16 as build

ENV CGO_ENABLED=0 \
    GOOS=linux \
    GOARCH=amd64

WORKDIR /go/src/ms-gcp

COPY . .

RUN go build cmd/ms-gcp/main.go

# PROD STAGE
FROM alpine:3.15.6

# CERT PACKAGES
RUN apk add --no-cache ca-certificates && update-ca-certificates

# TIME ZONE FOR CHILE-SANTIAGO
RUN apk update
RUN apk add tzdata
RUN cp /usr/share/zoneinfo/Chile/Continental /etc/localtime

ENV TZ America/Santiago
RUN echo "America/Santiago" >  /etc/timezone

# GLIBC
RUN apk --no-cache add ca-certificates wget && \
    wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub && \
    wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.35-r0/glibc-2.35-r0.apk && \
    wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.35-r0/glibc-bin-2.35-r0.apk && \
    wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.35-r0/glibc-i18n-2.35-r0.apk && \
    apk add glibc-bin-2.35-r0.apk glibc-i18n-2.35-r0.apk glibc-2.35-r0.apk

COPY ./locale.md /locale.md
RUN cat locale.md | xargs -i /usr/glibc-compat/bin/localedef -i {} -f UTF-8 {}.UTF-8

ENV LANG=cl_ES.UTF-8 \
    LANGUAGE=cl_ES.UTF-8

COPY --from=build /go/src/ms-gcp/main .

CMD ["./main"]
英文:

SOLUTION

I was missing the update-ca-certificates command, here is my dockerfile in case it helps someone

RUN apk add --no-cache ca-certificates && update-ca-certificates

Full dockerfile

# BUILD STAGE
FROM golang:1.18.5-alpine3.16 as build

ENV CGO_ENABLED=0 \
    GOOS=linux \
    GOARCH=amd64

WORKDIR /go/src/ms-gcp

COPY . .

RUN go build cmd/ms-gcp/main.go

# PROD STAGE
FROM alpine:3.15.6

# CERT PACKAGES
RUN apk add --no-cache ca-certificates && update-ca-certificates

# TIME ZONE FOR CHILE-SANTIAGO
RUN apk update
RUN apk add tzdata
RUN cp /usr/share/zoneinfo/Chile/Continental /etc/localtime

ENV TZ America/Santiago
RUN echo "America/Santiago" >  /etc/timezone

# GLIBC
RUN apk --no-cache add ca-certificates wget && \
    wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub && \
    wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.35-r0/glibc-2.35-r0.apk && \
    wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.35-r0/glibc-bin-2.35-r0.apk && \
    wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.35-r0/glibc-i18n-2.35-r0.apk && \
    apk add glibc-bin-2.35-r0.apk glibc-i18n-2.35-r0.apk glibc-2.35-r0.apk

COPY ./locale.md /locale.md
RUN cat locale.md | xargs -i /usr/glibc-compat/bin/localedef -i {} -f UTF-8 {}.UTF-8

ENV LANG=cl_ES.UTF-8 \
    LANGUAGE=cl_ES.UTF-8

COPY --from=build /go/src/ms-gcp/main .

CMD ["./main"]

huangapple
  • 本文由 发表于 2022年8月11日 05:10:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/73312764.html
  • go
  • google-cloud-platform
  • google-cloud-storage
  • google-kubernetes-engine
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定