Sidecar API: ApiException when calling kubernetes

glenndehaan commented 1 year ago

What happened?

When enabling the sidecar the following error pops up:

{"time": "2023-07-13T12:28:52.447411+00:00", "msg": "ApiException when calling kubernetes: (403)\nReason: Forbidden\nHTTP response headers: HTTPHeaderDict({'Audit-Id': 'b8b09bba-edfb-4081-a343-0f1003723b7e', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '8ab875b2-2eb8-4d39-b8f5-c4145d183385', 'X-Kubernetes-Pf-Prioritylevel-Uid': '7a39ee85-6835-4c03-9685-aa3a3ede8014', 'Date': 'Thu, 13 Jul 2023 12:28:52 GMT', 'Content-Length': '304'})\nHTTP response body: b'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"configmaps is forbidden: User \\\\\"system:serviceaccount:node-red:node-red\\\\\" cannot watch resource \\\\\"configmaps\\\\\" in API group \\\\\"\\\\\" in the namespace \\\\\"node-red\\\\\"\",\"reason\":\"Forbidden\",\"details\":{\"kind\":\"configmaps\"},\"code\":403}\\n'\n\n", "level": "ERROR"}

How can we reproduce this?

Below is an example of my values.yaml:

settings:
  name: settings-config
  configMapName: settings-config

sidecar:
  enabled: true
  env:
    username: ***
    password: ***
  extraNodeModules:
    - node-red-contrib-microsoft-teams-tasks
    - node-red-contrib-json

Helm Chart version

0.24.2

Search

[X] I did search for other open and closed issues before opening this.

Code of Conduct

[X] I agree to follow this project's Code of Conduct

Additional context

No response

dirien commented 1 year ago

Hey @glenndehaan,

thanks for submitting the issue! I will take a look now and will update this issue as soon as I have the solution ready!

glenndehaan commented 1 year ago

So I did find somewhat of a solution. I created the following manifests to allow the service account to read the configmaps and secrets:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-red-role
rules:
- apiGroups: [""]
  resources: ["configmaps", "secrets"]
  verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: node-red-rolebinding
roleRef:
  kind: ClusterRole
  name: node-red-role
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: node-red
  namespace: node-red

Maybe there can be an option to enable a basic RBAC manifest

dirien commented 1 year ago

Hey @glenndehaan,

release v0.25.0 should fix the issue!

Thanks for creating the issue.

glenndehaan commented 12 months ago

@dirien Thank you for your help. I can indeed confirm that version v0.25.0 fixes the forbidden issue

SchwarzIT / node-red-chart