9

I'm currently working on a project using the Firebase Admin Go SDK to handle auth and to use the real time database. The project works correctly when I run it locally (by just running go run main.go). When I run it in Minikube via a docker image (or GKE, I've tested both) I get this error whenever I try to make any Firestore calls: 

transport: authentication handshake failed: x509: certificate signed by unknown authority

Here is the code I'm using on the server to make the call to the DB: 

// Initialize the app 
opt := option.WithCredentialsFile("./serviceAccountKey.json")
app, err := firebase.NewApp(context.Background(), nil, opt)
// This is the first call I attempt to make, and where the error is thrown
// Create the client
client, err := app.Firestore(context.Background())
iter := client.Collection("remoteModels").Documents(context.Background())
snaps, err := iter.GetAll()
if err != nil {
    logger.Log.Warn("Error getting all remoteModels")
    fmt.Println(err)
    return err
}

And here is my Dockerfile that adds the service account key Firebase provided me from the console: 

FROM scratch

ADD main /
ADD serviceAccountKey.json /

EXPOSE 9090

ENTRYPOINT ["/main", "-grpc-port=9090", "-http-port=9089", "-env=prod"]

I can't find anything in the documentation about running in Kubernetes.
Is there anything I need to do to be able to connect to Firestore from Kubernetes?

Diericx
  • 418
  • 8
  • 24
  • can you try mapping your app port 8080 to some other port... as I doubt that kubernetes api-server uses that port and because of that the request might be going to apiserver which might be validating the certs. – Aman Juneja Mar 31 '19 at 04:44
  • @AmanJuneja just tried that and got the same error – Diericx Mar 31 '19 at 15:25
  • Can you tell me what changes you made.. just curious as it seems more to me that request is going to apiserver – Aman Juneja Mar 31 '19 at 16:05
  • Sure! I just updated the post so it's easier to read. I just double checked that the port didn't some how get hard coded at some point. From what I can tell looking at the code it should be running on 9089. – Diericx Mar 31 '19 at 16:30
  • just add 9089 also to the expose line and then give it a try – Aman Juneja Mar 31 '19 at 16:45
  • No same error, I'm connecting on 9090 to the grpc server – Diericx Mar 31 '19 at 22:57
  • can you share your pod manifest file? – Aman Juneja Apr 01 '19 at 09:09
  • https://gist.github.com/diericx/2a4c5198be44bd8d1ade57de51231154 – Diericx Apr 01 '19 at 14:23
  • first thing can you add port 9090 as target port in the service spec. Then as you are using the Loadbalancer service then on minikube there will be no external IP so you will have to reach your app using the node ip and nodeport opened up by the service. – Aman Juneja Apr 01 '19 at 14:41
  • Okay it looks like [this now](https://gist.github.com/diericx/09228d6d6214b44f03e898adcf45d62c) and I connect by getting the minikube ip and the port for the service (in this case it was 31552) but I'm still getting the error :( I can connect it's just Firebase having issues. – Diericx Apr 01 '19 at 16:33

1 Answers1

18

If you are using alpine based images try running apk add ca-certificates it looks like a tls error.
Install ca certificates, it should resolve the issue

Ankit Deshpande
  • 3,476
  • 1
  • 29
  • 42
  • My image is actually empty and running a single binary, you can see it in the post. Do I need an alpine based image to add certs? – Diericx Apr 02 '19 at 15:29
  • 1
    Ahh nevermind! With a swift search I found [an example of a multi-stage build that injects CA certs](https://medium.com/on-docker/use-multi-stage-builds-to-inject-ca-certs-ad1e8f01de1b). This is my [updated dockerfile](https://gist.github.com/diericx/b833e703f0514c0b1d9402452a1d0769). – Diericx Apr 02 '19 at 15:38
  • Just got back from class and tested it, works perfectly! Thank you so much, just wanted to make sure it also worked in my production env (GKE) – Diericx Apr 02 '19 at 18:18