原因
在升配k8s集群后,发现kiali无法登陆,具体为什么因升配k8s集群而导致kiali无法登陆,原因暂不清楚。
大致不能登陆原因如下图:
上图红色字体翻译如下:
The Kiali secret is missing. Users are prohibited from accessing Kiali until an administrator creates a valid secret. Please refer to the Kiali documentation for more details.
kiali的密钥不见了,在管理员创建有效密钥之前,禁止用户访问kiali。请参阅kiali文档以获取更多详细信息。
根据翻译可知是因为kiali的密钥丢失了
排查
查看kiali的secretname
kiali-deployment.yaml
kubectl get deployment kiali -n istio-system -o yaml --export
Flag --export has been deprecated, This flag is deprecated and will be removed in future.
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
field.cattle.io/publicEndpoints: '[{"addresses":["47.112.190.16"],"port":80,"protocol":"HTTP","serviceName":"istio-system:kiali","ingressName":"istio-system:kiali","hostname":"kiali.stage.realibox.com","path":"/","allNodes":false}]'
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"app":"kiali","install.operator.istio.io/owning-resource":"installed-state","install.operator.istio.io/owning-resource-namespace":"istio-system","istio.io/rev":"default","operator.istio.io/component":"AddonComponents","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.7.4","release":"istio"},"name":"kiali","namespace":"istio-system"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"kiali"}},"template":{"metadata":{"annotations":{"kiali.io/runtimes":"go,kiali","prometheus.io/port":"9090","prometheus.io/scrape":"true","sidecar.istio.io/inject":"false"},"labels":{"app":"kiali","release":"istio"},"name":"kiali"},"spec":{"affinity":{"nodeAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"preference":{"matchExpressions":[{"key":"kubernetes.io/arch","operator":"In","values":["amd64"]}]},"weight":2},{"preference":{"matchExpressions":[{"key":"kubernetes.io/arch","operator":"In","values":["ppc64le"]}]},"weight":2},{"preference":{"matchExpressions":[{"key":"kubernetes.io/arch","operator":"In","values":["s390x"]}]},"weight":2}],"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/arch","operator":"In","values":["amd64","ppc64le","s390x"]}]}]}}},"containers":[{"command":["/opt/kiali/kiali","-config","/kiali-configuration/config.yaml","-v","3"],"env":[{"name":"ACTIVE_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}],"image":"quay.io/kiali/kiali:v1.22","livenessProbe":{"httpGet":{"path":"/kiali/healthz","port":20001,"scheme":"HTTP"},"initialDelaySeconds":5,"periodSeconds":30},"name":"kiali","readinessProbe":{"httpGet":{"path":"/kiali/healthz","port":20001,"scheme":"HTTP"},"initialDelaySeconds":5,"periodSeconds":30},"resources":{"requests":{"cpu":"10m"}},"volumeMounts":[{"mountPath":"/kiali-configuration","name":"kiali-configuration"},{"mountPath":"/kiali-cert","name":"kiali-cert"},{"mountPath":"/kiali-secret","name":"kiali-secret"}]}],"serviceAccountName":"kiali-service-account","volumes":[{"configMap":{"name":"kiali"},"name":"kiali-configuration"},{"name":"kiali-cert","secret":{"optional":true,"secretName":"istio.kiali-service-account"}},{"name":"kiali-secret","secret":{"optional":true,"secretName":"kiali"}}]}}}}
creationTimestamp: null
generation: 1
labels:
app: kiali
install.operator.istio.io/owning-resource: installed-state
install.operator.istio.io/owning-resource-namespace: istio-system
istio.io/rev: default
operator.istio.io/component: AddonComponents
operator.istio.io/managed: Reconcile
operator.istio.io/version: 1.7.4
release: istio
name: kiali
selfLink: /apis/extensions/v1beta1/namespaces/istio-system/deployments/kiali
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: kiali
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
kiali.io/runtimes: go,kiali
prometheus.io/port: "9090"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
creationTimestamp: null
labels:
app: kiali
release: istio
name: kiali
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- command:
- /opt/kiali/kiali
- -config
- /kiali-configuration/config.yaml
- -v
- "3"
env:
- name: ACTIVE_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: quay.io/kiali/kiali:v1.22
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /kiali/healthz
port: 20001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 1
name: kiali
readinessProbe:
failureThreshold: 3
httpGet:
path: /kiali/healthz
port: 20001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 10m
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /kiali-configuration
name: kiali-configuration
- mountPath: /kiali-cert
name: kiali-cert
- mountPath: /kiali-secret
name: kiali-secret
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: kiali-service-account
serviceAccountName: kiali-service-account
terminationGracePeriodSeconds: 30
volumes:
- configMap:
defaultMode: 420
name: kiali
name: kiali-configuration
- name: kiali-cert
secret:
defaultMode: 420
optional: true
secretName: istio.kiali-service-account
- name: kiali-secret
secret:
defaultMode: 420
optional: true
secretName: kiali
status: {}
有关密钥的地方
- name: kiali-secret
secret:
defaultMode: 420
optional: true
secretName: kiali
查找密钥
kubectl get secret -n istio-system | grep kiali
无
解决
创建密钥
apiVersion: v1
kind: Secret
metadata:
name: kiali
namespace: istio-system
data:
## echo -n admin | base64
#YWRtaW4=
username: YWRtaW4=
passphrase: YWRtaW4=
删除旧kiali pod 恢复
