Argo x509:无法验证127.0.0.1的证书，因为它不包含任何IP错误

Question

我按照指南k8在托管这里服务上安装了Argo。

当我启动以下示例任务时，我会得到一个错误(如果安装了argo，您应该能够复制下面的代码)：

# create a.yml
cat >> a.yml<<EOL
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: hello-world-  # Name of this Workflow
spec:
  entrypoint: whalesay        # Defines "whalesay" as the "main" template
  templates:
  - name: whalesay            # Defining the "whalesay" template
    container:
      image: docker/whalesay
      command: [cowsay]
      args: ["hello world"]   # This template runs "cowsay" in the "whalesay" image with arguments "hello world"

EOL

# submit a.yml
argo --insecure-skip-tls-verify --insecure-skip-verify -n argo submit a.yml

# monitor
$ argo list
# NAME                         STATUS      AGE   DURATION   PRIORITY
# hello-world-hxrcp            Succeeded   4m    10s        0

 argo watch --insecure-skip-tls-verify --insecure-skip-verify -v -n argo hello-world-hxrcp
# DEBU[2021-06-09T19:37:22.125Z] CLI version                                   version="{v3.0.7 2021-05-25T18:57:09Z e79e7ccda747fa4487bf889142c744457c26e9f7 v3.0.7 clean go1.16.3 gc linux/amd64}"
# DEBU[2021-06-09T19:37:22.125Z] Client options                                opts="(argoServerOpts=(url=127.0.0.1:2746,path=,secure=true,insecureSkipVerify=true,http=true),instanceID=)"
# DEBU[2021-06-09T19:37:22.125Z] curl -H 'Accept: text/event-stream' -H 'Authorization: ******' 'https://127.0.0.1:2746/api/v1/workflow-events/argo?listOptions.fieldSelector=metadata.name%3Dhello-world-hxrcp&listOptions.resourceVersion=0' 
# FATA[2021-06-09T19:37:22.536Z] Get "https://127.0.0.1:2746/api/v1/workflow-events/argo?listOptions.fieldSelector=metadata.name%3Dhello-world-hxrcp&listOptions.resourceVersion=0": x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs 

为什么我会看到这个错误？

安装过程如下：

kubectl create namespace argo
kubectl apply -n argo -f https://raw.githubusercontent.com/argoproj/argo-workflows/stable/manifests/install.yaml

CLI (摘自最新版本)

# Download the binary
curl -sLO https://github.com/argoproj/argo/releases/download/v3.0.7/argo-linux-amd64.gz

# Unzip
gunzip argo-linux-amd64.gz

# Make binary executable
chmod +x argo-linux-amd64

# Move binary to path
sudo mv ./argo-linux-amd64 /usr/local/bin/argo

# Test installation
argo version

# link with server
# recommended on user panel in interface
cat >> ~/.bashrc <<EOL
export ARGO_SERVER='127.0.0.1:2746' 
export ARGO_HTTP1=true  
export ARGO_SECURE=true
export ARGO_BASE_HREF=
export ARGO_TOKEN='' 
export ARGO_NAMESPACE=argo
export ARGO_INSECURE_SKIP_VERIFY=true
EOL

# check it works: 
argo list

Answer 1

嘿，我在设置argo头盔图的时候碰到了这个问题。问题是，您必须使用ARGO_KUBELET_INSECURE env禁用对执行器(执行工作流的东西)的tls验证。这里是docs https://argoproj.github.io/argo-workflows/environment-variables/#executor

对不起，我没有您所需的设置所需的确切代码更改，但我相信，既然您已经知道了问题所在，那么您肯定可以解决这个问题)。

下面是我的helm values.yaml文件的样子，以防对其他人有帮助：

server:
  serviceType: LoadBalancer
  extraArgs:
  - --auth-mode=server

controller:
  containerRuntimeExecutor: k8sapi
executor:
  env:
  - name: ARGO_KUBELET_INSECURE
    value: true