aws-samples / aws-secret-sidecar-injector Goto Github PK
View Code? Open in Web Editor NEWKubernetes mutating webhook to fetch secrets from AWS Secrets Manager
License: MIT No Attribution
Kubernetes mutating webhook to fetch secrets from AWS Secrets Manager
License: MIT No Attribution
Hi there!
I'm following instructions but getting only webserver
container in my webserver-78578795c6-6l2mx
pod
No init container is present there
In my secret-inject-87fd4b8bb-v6jvp
pod logs I see http: TLS handshake error from 192.168.183.197:43904: remote error: tls: bad certificate
exception on each webserver deploy attempt
Any ideas how to debug / fix it?
Can this also inject parameters from system manager's paramstore?
Thanks.
Hi , i did a fresh installation today morning.
Getting this error "Error creating: Internal error occurred: add operation does not apply: doc is missing path: "/spec/initContainers/0": missing value"
2021-03-23T06:43:46.195271227Z I0323 06:43:46.195153 1 pods.go:159] [
2021-03-23T06:43:46.195285338Z {"op":"add","path":"/spec/initContainers/0","value":{"image":"docker.io/amazon/aws-secrets-manager-secret-sidecar:v0.1.4","name":"secrets-init-container","imagePullPolicy": "Always","volumeMounts":[{"name":"secret-vol","mountPath":"/tmp"}],"env":[{"name": "SECRET_ARN","valueFrom": {"fieldRef": {"fieldPath": "metadata.annotations['secrets.k8s.aws/secret-arn']"}}}],"resources":{}}},{"op":"add","path":"/spec/volumes/-","value":{"emptyDir": {"medium": "Memory"},"name": "secret-vol"}},{"op": "add","path": "/spec/containers/0/volumeMounts/-","value": {"mountPath": "/tmp/","name": "secret-vol"}}]
Hello,
Lastly, the purpose of this Poc is to demonstrate the type of integration that can be achieved between AWS Secrets Manager and Kubernetes. It is not meant to be used in production.
why is this sample not meant to be used in production?
AWS Secrets Controller PoC: integrating AWS Secrets Manager with Kubernetes
Restarting a pod that retrieves a secret from Secrets Manager causes the following error:
Error creating: Internal error occurred: invalid character ',' after top-level value
We're currently investigating the root cause.
Hello,
I ran into an issue when running make install and it goes to set_aws_parameters to set OPERATOR_REGION, SQS_URL, IAM_ARN for sed. Instead of values, they are blank. Is this only on MacOS using default make binary? I have fixed it by avoiding variable definitions in particular action by directly setting:
sed -i .bak "s,OPERATOR_REGION,$(shell aws cloudformation describe-stacks --stack-name EKS-Secrets-Operator-Stack --query "Stacks[0].Outputs[?OutputKey=='Region'].OutputValue" --output text),g" config/manager/manager.yaml
and so on.
AWS Secrets Manager has a caching library which updates the cache periodically, ensuring your applications use the most up to date secret value without polling. If you run the init container as a sidecar and make use of this library it may eliminate the need for an operator that recycles the pod when a secret is rotated. The downside is that it will require you to run a sidecar (increases the resource requirements) and your application will have to be written to re-read the password from disk when the secret is rotated.
It'd be really useful to have the ability to inject secrets as env vars as an alternative to mounting them in a file.
I'm fully aware that using env vars for secrets is a terrible security practice and leaves secrets exposed and people should NOT do this. However the reality is that sometimes we have to deal with things written by other people - helm charts, legacy applications etc and in some cases these expect the secrets to be set as env vars and provide no alternative way to configure them.
I'm currently dealing with a bunch of applications written in a variety of different languages that all expect their secrets in environment variables. This means my options are:
Options 1 & 2 won't be possible if I don't own or have access to the code and if can change the code, the solution would need to be different depending on the language of the app.
Option 3 is a little better as could be the same solution in all apps regardless of the app language however still involves updating the Dockerfiles etc for every app.
If secret-inject could set secrets as env vars it could work in all cases even when using other people stuff e.g. public helm charts.
If this is something you'd consider as a feature I'd be happy to attempt a PR to implement this functionality.
If I try to install the latest chart I get an error.
Steps to reproduce:
helm repo add secret-inject https://aws-samples.github.io/aws-secret-sidecar-injector/
helm repo update
helm install secret-inject secret-inject/secret-inject
Error:
Error: YAML parse error on secret-inject/templates/.__helpers.tpl: error converting YAML to JSON: yaml: control characters are not allowed
I'm actually trying to upgrade and previously had 0.1.3 but this version seems to be no longer available.
In fact it seems that only version 0.1.7 exists in the chart repo which throws the error mentioned above.
$helm search repo secret-inject
NAME CHART VERSION APP VERSION DESCRIPTION
secret-inject/secret-inject 0.1.7 1 A Helm chart for installing AWS Secret Controll...
Also the chart version is listed as 0.1.1 here (which is also not available in the chart repo):
https://github.com/aws-samples/aws-secret-sidecar-injector/blob/master/admission-controller/secret-inject/Chart.yaml#L4
Is it possible for mutating webhook to create an environment variable inside the container instead of mounting a volume?
In case a pod definition contains init containers, e.g. for bootstrapping a database prior to the launch, they do not inherit the same injected secrets as the main container does.
It would be nice if aws-secret-sidecar-injector could add the default set of volume mounts to all containers that take part in the pod lifecycle.
I installed helm chart for aws-secret-sidecar-injector following the guide at https://aws.amazon.com/blogs/containers/aws-secrets-controller-poc/
A new deployment with proper annotations is created.
AWS iam_role and policies are properly created.
Kubernetes serviceaccount
is created in line with the guide and specified in the deployment spec
But the deployment pod doesn't have secret mounted at /tmp
directory
When checking logs for pod secret-inject-xxxx-xxx
, it has the error as described in title
2021/03/18 10:03:05 http: TLS handshake error from 10.0.20.176:53728: remote error: tls: bad certificate
2021/03/18 10:03:05 http: TLS handshake error from 10.0.20.176:53734: remote error: tls: bad certificate
2021/03/18 10:44:40 http: TLS handshake error from 10.0.20.176:38152: remote error: tls: bad certificate
2021/03/18 10:46:43 http: TLS handshake error from 10.0.10.126:59140: remote error: tls: bad certificate
2021/03/18 10:49:39 http: TLS handshake error from 10.0.10.126:60042: remote error: tls: bad certificate
Pods are coming up but this is creating init container and in the logs of init container we get below error.
WebIdentityError: Failed to retrieve credentials.
caused by Invalid Identity token: No OpenIDConnect provider found in account
Is this something related to misconfiguration or we need to set up OIDC in our account.
Thanks
Murali
Hi @jicowan
Just would like to ask if the secret manager rotates its secret, does the pod have to be restarted ?
As it is an "init-container" may not be able to reflect the changes on the flight ?
Hi,
I was just wondering, is it currently possible to use secrets as environment variables instead of writing them to /tmp/secret ?
Thanks a lot.
A deployment manifest looks like this
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
annotations:
secrets.k8s.aws/sidecarInjectorWebhook: enabled
secrets.k8s.aws/secret-arn: arn:aws:secretsmanager:xxx:000000:secret:sxjxkx-UOBckr
labels:
app: nginx
spec:
serviceAccountName: aws-eks-secrets-sa
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80
- containerPort: 443
volumeMounts:
- name: tmpconfig
mountPath: /tmp/config
initContainers:
- name: db-init
image: busybox
command: ['/bin/sh', '-c']
args:
- echo "HELLO WORLD";
But when this manifest is applied and pod is running
,
doing Kubectl describe pod nginx-deployment-xxxx
has no db-init
in initContainers
list.
There's only secrets-init-container
in initContainers
list!
Does the admission-controller webhook overwrites all other initContainers
!!!
I am able to get all the workflow for secrets working within default namespace.
Keeping the secret-inject controller in defailt namespace , when I try to deploy the controller into another namespace , i get errors.
Error: rendered manifests contain a resource that already exists. Unable to continue with install: MutatingWebhookConfiguration "aws-secret-inject" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-namespace" must equal "chef-ns": current value is "default"
Can I deploy the controllers in multiple namespace within same eks cluster ?
How can i access secrets within multiple namespaces ?
Create an annotation that allows the user to choose the name of the file to read from to get the value of the secret pulled from AWS Secrets Manager. Update the init container to use that filename instead of defaulting to "secret" or use "secret" as the filename only when the annotation is absent.
I am doing something wrong for creating trust.json .
Could you please give some guidance. I am using default namespace.
$ read -r -d 'default' TRUST_RELATIONSHIP < trust.json
bash: trust.json: No such file or directory
Hello,
I am trying to make use of this. I am able to get the implementation from master to stand up. But I have a couple of questions. Is it possible to the mount point point to something other then /tmp/secret. Is it possible to mount secret-vol directly in a pod? Also, in a regular kubernetes secret, each secret value is placed in a file with the key as the name of the file. /tmp/secret is not formated. I have a container that is looking for secrets ala regular kubernetes secret format.
The fork at ecrousseau/aws-secret-injector does is closer to what we are looking for. But I cannot get it to stand up. First the webhook name in the chart template webhook.yaml is secret-inject. Deploying that helm chart results in error: Error: MutatingWebhookConfiguration.admissionregistration.k8s.io "secret-inject" is invalid: webhooks[0].name: Invalid value: "secret-inject": should be a domain with at least three segments separated by dots
so I changed wehhook name from secret-inject to secret-inject.aws.amazon.com. The webhook deploys but the deployment fails to create the test pod.k get deployments.apps
NAME READY UP-TO-DATE AVAILABLE AGE
secret-inject 1/1 1 1 117s
secrets-testing 0/1 0 0 70s
The AWS SecretsManager POC controller works fine. However we ended up getting the secret in the volume mounted at /tmp/secret . Can you please help in deserializing this data from the volume mount so we can read the key value pair?
Eg: Following secret from SecretsManager got loaded into the volume /tmp/secret through the InitContainer and mutating web hook. Our main container can read this data from /tmp/secret with no issues. However how can the main container now read this as individual key value pairs and lod into Environment variables in the Pod?
{
"database-password": "planet",
"anotherpwd": "anothervalue"
}
Presently, the init container is designed to fetch 1 secret from AWS Secrets Manager, yet some pods may require multiple secrets. The annotation for secretArn should accept an array that the init container can loop through to get multiple secrets. Need to decide whether to mount each secret as a separate volume, write to separate files on the same volume, or create a single file with K/V pairs for each secret.
Hello, I would like to use this utilitiy in a proxy environment and would like to set a proxy in the sidecar container, can i please get access to the docker file for "aws-secrets-manager-secret-sidecar" or if there is any alternative way to inject proxy as an environment variable that will do as well. I am using zscaler so may need to bake my CA so having access to the docker file will be useful.
As much as I can tell, Currently, We can inject one secret only using secrets.k8s.aws/secret-arn
.
Would be nice to inject multiple secrets into a given pod.
Hi Team,
Current code for webserver.yaml is not working.
Confirmed that created secret is accessible using aws command.
➜ aws secretsmanager get-secret-value --secret-id test_secretB --query SecretString --output text
{"username":"user3", "password": "pass3"}
Following is the webserver.yaml code where serviceAccountName set to use default
sa.
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
run: webserver
name: webserver
spec:
replicas: 1
selector:
matchLabels:
run: webserver
template:
metadata:
annotations:
secrets.k8s.aws/sidecarInjectorWebhook: enabled
secrets.k8s.aws/secret-arn: arn:aws:secretsmanager:ap-southeast-1:123456789012:secret:test_secretB-wFblqy
labels:
run: webserver
spec:
serviceAccountName: default
containers:
- image: busybox:1.28
name: webserver
command: ['sh', '-c', 'echo $(cat /tmp/secret) && sleep 3600']
➜ kubectl version --short
Client Version: v1.18.4
Server Version: v1.15.11-eks-af3caf
➜ helm ls
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
secret-inject secret 1 2020-08-12 11:42:00.697245 +0800 +08 deployed secret-inject-0.1.2 1
➜ kubectl get mutatingwebhookconfiguration
NAME CREATED AT
aws-secret-inject 2020-08-12T03:42:01Z
➜ k get sa default -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/test_secret
creationTimestamp: "2020-08-11T08:59:55Z"
name: default
namespace: secret
resourceVersion: "22054368"
selfLink: /api/v1/namespaces/secret/serviceaccounts/default
uid: 7e10b31f-47a7-4f0c-8bf1-1c3f5afc79de
secrets:
- name: default-token-d5cwh
➜ kl secret-inject-7b8b67fc48-hk87h -f
2020/08/12 03:43:35 http: TLS handshake error from 10.23.0.60:59350: remote error: tls: bad certificate
2020/08/12 03:44:46 http: TLS handshake error from 10.23.1.233:49986: remote error: tls: bad certificate
2020/08/12 06:14:50 http: TLS handshake error from 10.23.0.60:49230: remote error: tls: bad certificate
^C
➜ kgp webserver-888fc6786-4z7hp -o yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/psp: eks.privileged
secrets.k8s.aws/secret-arn: arn:aws:secretsmanager:ap-southeast-1:123456789012:secret:test_secretB-wFblqy
secrets.k8s.aws/sidecarInjectorWebhook: enabled
creationTimestamp: "2020-08-12T06:14:50Z"
generateName: webserver-888fc6786-
labels:
pod-template-hash: 888fc6786
run: webserver
name: webserver-888fc6786-4z7hp
namespace: secret
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: webserver-888fc6786
uid: 81fcc122-e428-49d0-a0ba-71889a875b45
resourceVersion: "22205783"
selfLink: /api/v1/namespaces/secret/pods/webserver-888fc6786-4z7hp
uid: 6087099f-7f9b-4908-a56d-ee3398e657a9
spec:
containers:
- command:
- sh
- -c
- echo $(cat /tmp/secret) && sleep 3600
image: busybox:1.28
imagePullPolicy: IfNotPresent
name: webserver
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-d5cwh
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
nodeName: ip-10-23-7-28.ap-southeast-1.compute.internal
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: default-token-d5cwh
secret:
defaultMode: 420
secretName: default-token-d5cwh
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2020-08-12T06:14:50Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2020-08-12T06:14:52Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2020-08-12T06:14:52Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2020-08-12T06:14:50Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: docker://b47228f01099a63006aba623a2c99966432baca592b51c73f5979124337117b5
image: busybox:1.28
imageID: docker-pullable://busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47
lastState: {}
name: webserver
ready: true
restartCount: 0
state:
running:
startedAt: "2020-08-12T06:14:51Z"
hostIP: 10.23.7.28
phase: Running
podIP: 10.23.6.103
qosClass: BestEffort
startTime: "2020-08-12T06:14:50Z"
➜ kl -l run=webserver -f
cat: can't open '/tmp/secret': No such file or directory
^C
Hello.
We deployed the secret-inject
into one of our EKS clusters and, even though on the secret inject logs we seem to be pulling secrets correctly, there's no secret saved into /tmp/secret
at all. Both the secret exists and the service account is using a valid role (as you can see on the logs, we are getting a valid but empty response on pods.go:157).
I0717 09:53:38.080245 1 main.go:81] handling request: {"kind":"AdmissionReview","apiVersion":"admission.k8s.io/v1beta1","request":{"uid":"5f51ec5e-758a-47d0-9dd4-17156b0b54bb","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"namespace":"default","operation":"CREATE","userInfo":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"b5552644-6aa3-11ea-b53c-0ab35cafaebc","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"webserver-7b56c5866-","creationTimestamp":null,"labels":{"pod-template-hash":"7b56c5866","run":"webserver"},"annotations":{"kubernetes.io/psp":"eks.privileged","secrets.k8s.aws/secret-arn":"arn:aws:secretsmanager:eu-west-2:1234567:secret:foo-EYL7CW","secrets.k8s.aws/sidecarInjectorWebhook":"enabled","sidecar.istio.io/inject":"false"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"webserver-7b56c5866","uid":"ae04dfa2-a7f9-401a-bfb6-50b328229506","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"service-account-token-6ntkj","secret":{"secretName":"service-account-token-6ntkj"}}],"containers":[{"name":"webserver","image":"busybox:1.28","command":["sh","-c","echo $(cat /tmp/secret) \u0026\u0026 sleep 3600"],"resources":{},"volumeMounts":[{"name":"service-account-token-6ntkj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"service-account","serviceAccount":"service-account","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{}},"oldObject":null,"dryRun":false,"options":{"kind":"CreateOptions","apiVersion":"meta.k8s.io/v1"}}}
I0717 09:53:38.080460 1 pods.go:157] &AdmissionResponse{UID:,Allowed:true,Result:nil,Patch:*[91 10 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 123 34 111 112 34 58 34 97 100 100 34 44 34 112 97 116 104 34 58 34 47 115 112 101 99 47 105 110 105 116 67 111 110 116 97 105 110 101 114 115 34 44 34 118 97 108 117 101 34 58 91 123 34 105 109 97 103 101 34 58 34 100 111 99 107 101 114 46 105 111 47 97 109 97 122 111 110 47 97 119 115 45 115 101 99 114 101 116 115 45 109 97 110 97 103 101 114 45 115 101 99 114 101 116 45 115 105 100 101 99 97 114 58 118 48 46 49 46 49 34 44 34 110 97 109 101 34 58 34 115 101 99 114 101 116 115 45 105 110 105 116 45 99 111 110 116 97 105 110 101 114 34 44 34 118 111 108 117 109 101 77 111 117 110 116 115 34 58 91 123 34 110 97 109 101 34 58 34 115 101 99 114 101 116 45 118 111 108 34 44 34 109 111 117 110 116 80 97 116 104 34 58 34 47 116 109 112 34 125 93 44 34 101 110 118 34 58 91 123 34 110 97 109 101 34 58 32 34 83 69 67 82 69 84 95 65 82 78 34 44 34 118 97 108 117 101 70 114 111 109 34 58 32 123 34 102 105 101 108 100 82 101 102 34 58 32 123 34 102 105 101 108 100 80 97 116 104 34 58 32 34 109 101 116 97 100 97 116 97 46 97 110 110 111 116 97 116 105 111 110 115 91 39 115 101 99 114 101 116 115 46 107 56 115 46 97 119 115 47 115 101 99 114 101 116 45 97 114 110 39 93 34 125 125 125 93 44 34 114 101 115 111 117 114 99 101 115 34 58 123 125 125 93 125 44 123 34 111 112 34 58 34 97 100 100 34 44 34 112 97 116 104 34 58 34 47 115 112 101 99 47 118 111 108 117 109 101 115 47 45 34 44 34 118 97 108 117 101 34 58 123 34 101 109 112 116 121 68 105 114 34 58 32 123 34 109 101 100 105 117 109 34 58 32 34 77 101 109 111 114 121 34 125 44 34 110 97 109 101 34 58 32 34 115 101 99 114 101 116 45 118 111 108 34 125 125 44 123 34 111 112 34 58 32 34 97 100 100 34 44 34 112 97 116 104 34 58 32 34 47 115 112 101 99 47 99 111 110 116 97 105 110 101 114 115 47 48 47 118 111 108 117 109 101 77 111 117 110 116 115 47 45 34 44 34 118 97 108 117 101 34 58 32 123 34 109 111 117 110 116 80 97 116 104 34 58 32 34 47 116 109 112 47 34 44 34 110 97 109 101 34 58 32 34 115 101 99 114 101 116 45 118 111 108 34 125 125 93],PatchType:*JSONPatch,AuditAnnotations:map[string]string{},}
The helm chart version that we are using is 0.1.2
.
Hope you guys can lend us a hand.
as mentioned in the README.md
The Kubernetes dynamic admission controller also creates corresponding mountPath /tmp/secret for containers within the pod to access the secret
in my case, my app needs to use a secret file in a specific path in the file system which is not configurable.
There is any way to change the mount path from /tmp/secret to a configurable path?
currently, it seems that it's hard coded
We are looking for a solution that can also work with AWS Parameter Store. Is this a feature you guys can add, and if its not something you're planning on looking into in the short-term, I'd be happy with some direction as to what can be modified so we can use this with AWS Param Store
Thanks
Hi ,
Am not able to locate to the fetch the environment variable which is mounted in the /tmp/secret path .
/tmp/secret wil contain the key/value pair .
eg :
{"username":"admin","password":"P@$$word1024","engine":"mysql","host":"database-1.cluster.us-east-1.rds.amazonaws.com","port":3306,"dbClusterIdentifier":"database-1"}
But I want to pass the these value to the kubernets environment
something like this :
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: database-credentials
key: DATABASE_URL
or env:
- name: DATABASE_URL
value: /tmp/secret
..
As /tmp/secret file contains the key value pair in it . Am unable to fetch to the k8s-envi file.
If you know any possible cases please do let me know...
In order to get an easier deployment, it will be awesome if the chart secret-inject/secret-inject
will contain also the ability to create a serviceAccount
with OIDC
like aws-efs-csi-driver
chart has:
In addition, it will be great to have also some guidelines of how to create a serviceAccount
, the IAM policy
, the role trust
under the README.md instead of this article. This can improve the quickstart
Hi
I installed this with helm on an EKS cluster (1.16) and when I spin up a pod with the annotation to get the sidecar injected, they don't get the sidecar.
In the secret-inject logs I see the following errors:
secret-inject-6bb9fb7bc4-8mmq8 secret-inject-init 2020/08/03 17:23:50 http: TLS handshake error from 10.10.201.141:36620: remote error: tls: bad certificate
secret-inject-6bb9fb7bc4-k76p9 secret-inject-init 2020/08/03 17:23:55 http: TLS handshake error from 10.10.201.141:38418: remote error: tls: bad certificate
secret-inject-6bb9fb7bc4-qs989 secret-inject-init 2020/08/03 17:24:07 http: TLS handshake error from 10.10.201.141:56584: remote error: tls: bad certificate
I'm sure I'm missing something simple here but any help would be greatly appreciated!
Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.