Google Cloud Kubernetes Deployment Target

I’m trying to create a Kubernetes Deployment Target, where the k8s is located on Google Cloud.
I’ve set it up so it would connect to the cluster with the Cluster Certificate i get from Google Cloud Console. But I can’t seem to get the Service Account created to work.
I’ve added it to octopus as Client Credentials but are getting the following error.

error: You must be logged in to the server (the server has asked for the client to provide credentials)

I hope someone who have done this before, are able to help me.
Thank you!

Hi @alexander.steen

Thanks for getting in touch!

That message usually points to an authentication error. Are you able to connect successfully with the Cluster Certificate outside of Octopus?

It may be useful for us to see any relevant logs that might help point us in the right direction. Would you be able to attach them here, please?

Regards,

Hi @stuart.mcilveen

I’m not a k8s superuser, so I’m not 100% sure how to use the Cluster Certificate outside Octopus.
My current way of accessing the cluster is via kubectl, and I used the gcloud CLI tool to set up the permissions.

I’m not 100% sure what logs you’re referring to. But I have attached the Octopus connectivity check logs.

If you want some specific logs, please let me know.
ServerTasks-24.log.txt (9.0 KB)

Hi @alexander.steen

Thanks for getting back to me with those logs. It does look like an authentication issue.

I think a good place to start is checking if you have authentication set up correctly on your target within Octopus. Have you added the certificate in Library -> Certificates and then configured your targets authentication to use it? It should look something like this:

Regards,

Hi @stuart.mcilveen

I’ve set this up yes. I have the Cluster Cert and I think this is correct.
It think it’s the client certificate that is wrong. I don’t know where to find it for Google Cloud, so I have created a ServiceAccount and are using the .json file as the client certificate, as i couldn’t find anything else that looked correct.

If I look at my cluster on google cloud console, I can see the Client Certificate is Disabled with no way of enabling it. Does this need to be enabled for Octopus to work?

Hi @alexander.steen

I’d guess it would need to be enabled if you were using it to sign in with. You can read more about how to enable the client certificate on Google Cloud here.

Please try that and let me know how you get on.

Hi @stuart.mcilveen

I would guess the same, the only problem is that Client Certificate is immutable for existing clusters. So I’m not gonna be able to enable it for my current cluster to my knowledge.
I can see that there is an option for enabling Basic Authentication for the cluster, will I be able to use the Username/Password authentication option in Octopus if I choose that?

That should work - could you test it and let me know if that gets you up and running, please?

I will try this and get back to you. I can see Basic Authentication is marked as deprecated and has been removed in GKE 1.19 and later. So it won’t be a permanent solution.

I have now gotten a Successful Health check on my cluster with the Basic Authentication. So that is a really good start that the other information and certificate is correct. I just need to figure out another way of connecting before we reach GKE 1.19