Trying to run docker-hello-google and running into openssl + p12 warnings (even though using a json key)


#1

I’ve been trying for a few hours to figure out the sudo /opt/google-cloud-sdk/bin/gcloud auth activate-service-account line in the docker-hello-google circleci tutorial: https://github.com/circleci/docker-hello-google/blob/master/circle.yml

I keep getting this message:
WARNING: .p12 service account keys are not recomended unless it is necessary for backwards compatability. Please switch to a newer .json service account key for this account.
ERROR: (gcloud.auth.activate-service-account) PyOpenSSL is not available. If you have already installed PyOpenSSL, you will need to enable site packages by setting the environment variable CLOUDSDK_PYTHON_SITEPACKAGES to 1.

To try and remedy the openssl issue, I set the suggested site packages to 1 in the environment variables:
machine:
environment:
PROJECT_NAME: circle-ctl-test
CLUSTER_NAME: docker-hello-google-cluster
CLOUDSDK_COMPUTE_ZONE: us-central1-f
DEBIAN_FRONTEND: noninteractive
CLOUDSDK_PYTHON_SITEPACKAGES: 1

I then also tried to actually install open ssl in the dependencies:
override:
- pip install pyopenssl

The full circle.yml file is below. Beyond those changes and adding the email of my service account id, it’s the same as in the circleci tutorial. What I also find confusing is that I specifically set up a service account using json, NOT P12 - so it’s hard for me to tell if it’s even really openssl that is tripping circleci up. Has anyone else experienced this error message and warning recently? If it helps, the service account key I made has the ‘owner’ role for the container engine app (the circleci tutorial does not say what ‘role’ you should give the service account so I just took a guess.)

machine:
environment:
PROJECT_NAME: circle-ctl-test
CLUSTER_NAME: docker-hello-google-cluster
CLOUDSDK_COMPUTE_ZONE: us-central1-f
DEBIAN_FRONTEND: noninteractive
CLOUDSDK_PYTHON_SITEPACKAGES: 1
CLOUDSDK_CORE_DISABLE_PROMPTS: 1
services:
- docker

dependencies:
pre:
- sudo /opt/google-cloud-sdk/bin/gcloud --quiet components update
- sudo /opt/google-cloud-sdk/bin/gcloud --quiet components update kubectl
- echo GCLOUD_SERVICE_KEY | base64 --decode -i > {HOME}/circle-ctl-test-XXXXX.json
- sudo /opt/google-cloud-sdk/bin/gcloud auth activate-service-account circleci-container@circle-ctl-test-XXXXX.iam.gserviceaccount.com --key-file ${HOME}/circle-ctl-test-XXXX.json
- sudo /opt/google-cloud-sdk/bin/gcloud config set project $PROJECT_NAME
- sudo /opt/google-cloud-sdk/bin/gcloud --quiet config set container/cluster CLUSTER_NAME # Reading the zone from the env var is not working so we set it here - sudo /opt/google-cloud-sdk/bin/gcloud config set compute/zone {CLOUDSDK_COMPUTE_ZONE}
- sudo /opt/google-cloud-sdk/bin/gcloud --quiet container clusters get-credentials CLUSTER_NAME - docker build -t us.gcr.io/{PROJECT_NAME}/hello:CIRCLE_SHA1 . # Using a separate tag command until Docker 1.10 is available on CircleCI, then we can use two tags in the build command above - docker tag us.gcr.io/{PROJECT_NAME}/hello:CIRCLE_SHA1 us.gcr.io/{PROJECT_NAME}/hello:latest
override:
- pip install pyopenssl
test:
post:
- docker run -d -p 3000:3000 -e “SECRET_KEY_BASE=abcd1234” us.gcr.io/${PROJECT_NAME}/hello:$CIRCLE_SHA1; sleep 10
- curl --retry 10 --retry-delay 5 -v http://localhost:3000

deployment:
prod:
branch: master
commands:
- ./deploy.sh


#2

Update: if I use the original json file I downloaded from Google and run the gcloud auth activate-service-account on my local machine, it works fine without a hitch (and no p12 warning). So it does not appear to be a permissions issue. I also tried encoding and decoding it using the base64 command locally and that also worked.


#3

After a few more hours, I wanted to reply back that I figured out the p12 warning - I had to remove the -i in decode -i in the CircleCI code (I had run --decode without the -i already locally). That was causing the key to never get copied to a JSON file and thus Google wasn’t finding any key, JSON or not. Another gcloud newbie mistake after that was using the project name and not the actual ID (even though the CircleCI environment variable lists it as ‘name’).

I added some extra newbie mistakes I made as a Github issue for this tutorial to try and help out other new CircleCI users:


#4

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.