search

DoD-Platform-One / bigbang

BigBang the product
https://repo1.dso.mil/big-bang/bigbang
Apache License 2.0
153 stars 67 forks source link

Unable to pull the default Kiali token from a fresh bigbang 2.17 customer template package-strategy install #23

Closed p1-repo-sync-bot[bot] closed 5 months ago

p1-repo-sync-bot[bot] commented 6 months ago

Bug

Description

Describe the problem, what were you doing when you noticed the bug?

I am unable to pull the default Kiali token from a fresh bigbang install.

Using Customer template:

$ kubectl get serviceaccount kiali-service-account -n bigbang Error from server (NotFound): serviceaccounts "kiali-service-account" not found

kubectl get secret -n kiali -o go-template='{{range $secret := .items}}{{with $secret.metadata.annotations}}{{with (index . "kubernetes.io/service-account.name")}}{{if eq . "kiali-service-account"}}{{$secret.data.token | base64decode}}{{end}}{{end}}{{end}}{{end}}'

$ kubectl get events -n bigbang --sort-by='.metadata.creationTimestamp' | grep -i kiali 52m Normal info helmrelease/kiali HelmChart 'bigbang/bigbang-kiali' is not ready 52m Normal NoSourceArtifact helmchart/bigbang-kiali no artifact available for GitRepository source 'kiali' 51m Normal NewArtifact gitrepository/kiali stored artifact for commit 'Merge branch 'increase-cypress-timeouts' into 'mai...' 51m Normal ChartPackageSucceeded helmchart/bigbang-kiali packaged 'kiali' chart with version '1.77.1-bb.1' 2m4s Normal ArtifactUpToDate helmchart/bigbang-kiali artifact up-to-date with remote revision: '1.77.1-bb.1' 49m Normal info helmrelease/kiali dependencies do not meet ready condition (dependency 'bigbang/istio' is not ready), retrying in 30s
96s Normal GitOperationSucceeded gitrepository/kiali no changes since last reconcilation: observed revision '1.77.1-bb.1@sha1:feeee3f2bdb90928db02eb5760ad1d5296cf5845' 47m Normal info helmrelease/kiali dependencies do not meet ready condition (dependency 'bigbang/monitoring' is not ready), retrying in 30s
47m Normal info helmrelease/kiali Helm install has started 46m Normal info helmrelease/kiali Helm install succeeded

$ kubectl get events -n bigbang --sort-by='.metadata.creationTimestamp' | grep -i token 57m Warning PolicyViolation serviceaccount/default policy disallow-auto-mount-service-account-token/automount-service-accounts fail: validation error: Automount Kubernetes API Credentials isn't turned off. The field automountServiceAccountToken must be set to false. rule automount-service-accounts failed at path /automountServiceAccountToken/

Provide any steps possible used to reproduce the error (ideally in an isolated fashion).

$ kubectl create namespace bigbang

$ gpg --export-secret-key --armor ${fp} | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey.asc=/dev/stdin

$ kubectl create namespace flux-system

$ kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username=OBFUSCATE --docker-password=OBFUSCATE -n flux-system

$ kubectl create secret generic private-git --from-literal=username=root --from-literal=password=OBFUSCATE -n bigbang $ kubectl apply -k https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base/flux?ref=2.17.0

$ kubectl get deploy -o name -n flux-system | xargs -n1 -t kubectl rollout status -n flux-system

$ kubectl apply -f bigbang.yaml

BigBang Version

What version of BigBang were you running?

2.17.0

My current configmap.yaml in the package-strategy:

domain: bigbang.dev-01.com # Updated the TLS cert for new wildcard domain

Uncomment the following settings if using the AWS RKE2 terraform setup

istio:

ingressGateways:

public-ingressgateway:

type: "NodePort"

nodePortBase: 30000

flux: interval: 2m rollback: cleanupOnFail: false

kiali: enabled: true

istio: enabled: true

istioOperator: enabled: true

monitoring: enabled: true values: prometheus: prometheusSpec: resources: requests: cpu: 200m memory: 1Gi

loki: enabled: false strategy: scalable values: minio: enabled: true write: replicas: 1 persistence: size: 2Gi resources: limits: cpu: 200m memory: 400Mi requests: cpu: 200m memory: 400Mi read: replicas: 1 persistence: size: 2Gi resources: limits: cpu: 200m memory: 400Mi requests: cpu: 200m memory: 400Mi

promtail: enabled: false

kyverno: enabled: true

kyvernoPolicies: enabled: true values: exclude: any:

Allows k3d load balancer to bypass policies.

  - resources:
      namespaces:
      - istio-system
      names:
      - svclb-*
policies:
  restrict-host-path-mount-pv:
    parameters:
      allow:
      - /tmp/allowed
      - /var/lib/rancher/k3s/storage/pvc-*

neuvector: enabled: true values: k3s: enabled: true

addons: metricsServer: enabled: auto

minioOperator: enabled: true # Minio Operator is required for Loki in default core argocd: enabled: false

p1-repo-sync-bot[bot] commented 6 months ago

ryan.j.garcia commented:

@robert.w.mcavoy2.civ our docs recommend the latter strategy here it looks like

https://kiali.io/docs/faq/authentication/

Make sure the short lived token you're creating is in the kiali namespace. Likewise for all commands.

p1-repo-sync-bot[bot] commented 5 months ago

Issue 'Unable to pull the default Kiali token from a fresh bigbang 2.17 customer template package-strategy install' closed from GitLab side