Closed suckowbiz closed 2 years ago
Hi @suckowbiz, thanks for exploring Config Connector!
I used Ansible to install the Operator into an inhouse Kubernetes cluster that our company has developed as a standard product.
I'm not an expert of Ansible. Just want to verify, the secret generated from the following yaml snippet needs to be in the same format as the one generated by following the official guideline.
apiVersion: v1
kind: Secret
metadata:
name: config-connector-sa
namespace: cnrm-system
type: Opaque
data:
key.json: {{config_connector.service_account_json | b64encode}}
# Create a service account key and export its credentials to a file named key.json:
gcloud iam service-accounts keys create --iam-account \
SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com key.json
# Import the key's credentials as a Secret.
kubectl create secret generic SECRET_NAME \
--from-file key.json \
--namespace cnrm-system
Can you run kubectl get pod cnrm-controller-manager-0 -n cnrm-system -oyaml
and post the output here? I want to check if the controller manager pod has spun up correctly with the secret volume mounted.
What is the difference between the Config Connector manifest that one has to download for the offical guide via gsutil cp gs://configconnector-operator/latest/release-bundle.tar.gz release-bundle.tar.gz and the ones that are provided in this Git repo (https://github.com/GoogleCloudPlatform/k8s-config-connector/tree/master/install-bundles)?
The manifest from gs://configconnector-operator/ is for Config Connector operator (maybe a better name is Config Connector installer) which is used to install/uninstall KCC declaratively. This is the officially supported approach to install/uninstall KCC now.
The manifest in https://github.com/GoogleCloudPlatform/k8s-config-connector/tree/master/install-bundles is raw Config Connector manifest that users used to leverage to install KCC manually. We now are considering stopping uploading the raw Config Connector manifest in github to avoid confusion.
Hi @xiaobaitusi,
I can confirm the format of the secret is broken. The Config Connector Setup is fine.
After removing the secret and adding it manually via kubectl create secret generic config-connector-sa --from-file key.json --namespace cnrm-system
the pod came up as expected:
# $ k get pods
NAME READY STATUS RESTARTS AGE
cnrm-controller-manager-0 1/1 Running 0 16s
cnrm-deletiondefender-0 1/1 Running 0 16h
cnrm-webhook-manager-7fc6f759c-2gxk2 1/1 Running 0 16h
cnrm-webhook-manager-7fc6f759c-f4rp7 1/1 Running 0 16h
The issue was that Ansible changed the double quotes "
within the JSON into single quotes '
. This is a known issue with Ansible and Jinja. In my case the JSON is encrypted in an Ansible vault and rendered into a Jinja template having defined ANSIBLE_JINJA2_NATIVE: "True"
. This causes that change. The simplest possible solution was to not have JSON in my vault but a datastructure. The datastructure can be rendered with {{ datastructure | to_json | b64encode }}
.
Thanks!
I am going to close that issue since the reason of the issue was analyzed and a solution suggested.
Checklist
Bug Description
Hello together,
I am working for a big company that evaluates Google Config Connector for production use. We have an inhouse kubernetes cluster that is used for our customers.
Since we do not use GKE I had to install the Config Connector as for "other Kubernetes distributions". I followed the offical guide.
When I verified the installation I came across a
CrashLoopBackOff
pod namedcnrm-controller-manager-0
.Checking the logs:
The error states that the TF provider cannot be created because the credentials cannot be loaded. I guess that an environment variable is not in place where it should be.
Additional Diagnostic Information
The relevant secret
config-connector-sa
is in place as required by the guide. It contains a valid GCP service account:Kubernetes Cluster Version
Config Connector Version
Config Connector Mode
Log Output
Steps to Reproduce
Steps to reproduce the issue
Follow the official guide to install Google Config Connector to a custom Kubernetes Cluster.
YAML snippets
I used Ansible to install the Operator into an inhouse Kubernetes cluster that our company has developed as a standard product. The variable parts of the guide are filled with the yaml below:
I stumbled over an old issue that seems to be similar. But it is resolved long time ago: https://github.com/GoogleCloudPlatform/k8s-config-connector/issues/151
Additional question:
What is the difference between the Config Connector manifest that one has to download for the offical guide via
gsutil cp gs://configconnector-operator/latest/release-bundle.tar.gz release-bundle.tar.gz
and the ones that are provided in this Git repo (https://github.com/GoogleCloudPlatform/k8s-config-connector/tree/master/install-bundles
)? (I did a diff on both. The are quite different).