[ISSUE] unknown field "spec.template.spec.containers[0].limits" and "spec.template.spec.containers[0].requests" warning

ManuelDittmar commented 1 year ago

Describe the issue:

When Installing C8 with the 8.3.1 Helm Release, I face the following warnings:

coalesce.go:223: warning: destination for identity.postgresql.networkPolicy.egressRules.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for identity.postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for identity.postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.egressRules.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.egressRules.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
W1026 10:50:43.612402   28001 warnings.go:70] unknown field "spec.template.spec.containers[0].limits"
W1026 10:50:43.612483   28001 warnings.go:70] unknown field "spec.template.spec.containers[0].requests"

I can see that some of the warnings are coming from the postgres bitnami chart (https://github.com/bitnami/charts/issues/17465).

For

W1026 10:50:43.612402 28001 warnings.go:70] unknown field "spec.template.spec.containers[0].limits" W1026 10:50:43.612483 28001 warnings.go:70] unknown field "spec.template.spec.containers[0].requests"

I am unsure where they are coming from

Actual behavior:

Installation throws warnings but deployment is still successful

Expected behavior:

No warnings are thrown, unless something needs to be fixed.

How to reproduce:

helm install camunda camunda/camunda-platform

Logs:

coalesce.go:223: warning: destination for identity.postgresql.networkPolicy.egressRules.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for identity.postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for identity.postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.egressRules.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.egressRules.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
W1026 10:50:43.612402   28001 warnings.go:70] unknown field "spec.template.spec.containers[0].limits"
W1026 10:50:43.612483   28001 warnings.go:70] unknown field "spec.template.spec.containers[0].requests"
NAME: camunda
LAST DEPLOYED: Thu Oct 26 10:50:28 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
NOTES:
# (camunda-platform - 8.3.1)

 ######     ###    ##     ## ##     ## ##    ## ########     ###
##    ##   ## ##   ###   ### ##     ## ###   ## ##     ##   ## ##
##        ##   ##  #### #### ##     ## ####  ## ##     ##  ##   ##
##       ##     ## ## ### ## ##     ## ## ## ## ##     ## ##     ##
##       ######### ##     ## ##     ## ##  #### ##     ## #########
##    ## ##     ## ##     ## ##     ## ##   ### ##     ## ##     ##
 ######  ##     ## ##     ##  #######  ##    ## ########  ##     ##

###################################################################

## Installed Services:

- Zeebe:
  - Enabled: true
  - Docker Image used for Zeebe: camunda/zeebe:8.3.1
  - Zeebe Cluster Name: "camunda-zeebe"
  - Prometheus ServiceMonitor Enabled: true
- Operate:
  - Enabled: true
  - Docker Image used for Operate: camunda/operate:8.3.1
- Tasklist:
  - Enabled: true
  - Docker Image used for Tasklist: camunda/tasklist:8.3.1
- Optimize:
  - Enabled: true
  - Docker Image used for Optimize: camunda/optimize:3.11.0
- Connectors:
  - Enabled: true
  - Docker Image used for Connectors: camunda/connectors-bundle:8.3.0
- Identity:
  - Enabled: true
  - Docker Image used for Identity: camunda/identity:8.3.1
  - Keycloak: bitnami/keycloak:22.0.4
- Web Modeler:
  - Enabled: false
- Elasticsearch:
  - Enabled: true
  - Elasticsearch URL: http://camunda-elasticsearch:9200

### Zeebe

The Cluster itself is not exposed as a service which means that you can use `kubectl port-forward` to access the Zeebe cluster from outside Kubernetes:

> kubectl port-forward svc/camunda-zeebe-gateway 26500:26500 -n default

Now you can connect your workers and clients to `localhost:26500`
### Connecting to Web apps

As part of the Helm charts, an ingress definition can be deployed, but you require to have an Ingress Controller for that Ingress to be Exposed.In order to deploy the ingress manifest, set `<service>.ingress.enabled` to `true`. Example: `operate.ingress.enabled=true`

If you don't have an ingress controller you can use `kubectl port-forward` to access the deployed web application from outside the cluster:

Identity:
> kubectl port-forward svc/camunda-identity 8080:80
Operate:
> kubectl port-forward svc/camunda-operate  8081:80
Tasklist:
> kubectl port-forward svc/camunda-tasklist 8082:80
Optimize:
> kubectl port-forward svc/camunda-optimize 8083:80
Connectors:
> kubectl port-forward svc/camunda-connectors 8088:8080

If you want to use different ports for the services, please adjust the related configs in the values file since these ports are used as redirect URLs for Keycloak.

Authentication via Identity/Keycloak is enabled. To login into one of the services please port-forward to Keycloak
as well, otherwise, a login will not be possible. Make sure you use `18080` as a port.

> kubectl port-forward svc/camunda-keycloak 18080:80

Now you can point your browser to one of the service's login pages. Example: http://localhost:8081 for Operate.

Default user and password: "demo/demo"

## Console config
- name: camunda
  namespace: default
  version: 8.3.1
  components:
  - name: Keycloak
    url: http:///auth
  - name: Identity
    url: http://
    readiness: http://camunda-identity.default:80/actuator/health

  - name: Operate
    url: http://
    readiness: http://camunda-operate.default:80/actuator/health/readiness

  - name: Optimize
    url: http://
    readiness: http://camunda-optimize.default:80/api/readyz

  - name: Tasklist
    url: http://
    readiness: http://camunda-tasklist.default:80/actuator/health/readiness

  - name: Zeebe Gateway
    url: grpc://
    readiness: http://camunda-zeebe-gateway.default:9600/actuator/health/readiness

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

Platform: GCP
Helm CLI version: v3.10.1
Chart version: 8.3.1
Values file: default values

jessesimpson36 commented 1 year ago

We learned that some of our indentations were off in 8.3.1. Since your warnings mentions "limits" and "requests", I feel like it's because of the same issue. We fixed it in this PR #105 which is not yet released.

matt-gnu commented 1 year ago

Hi @jessesimpson36,

I assume, you did mot mean #105 which is from 2022, but #1013 which is current. Just stating this here for other readers hit by this bug.

We also got hit by this error when deploying 8.3.1, because in ArgoCD the application deployment will never reach a steady state, but will stay "out of sync", since the actual state (without resource limits) deviates from the specified state.

noizo commented 1 year ago

Also facing same issue in latest 8.3.1 helm.

When i run: helm template camunda-devops-test camunda/camunda-platform -f values.yaml > camunda.yaml and then kubectl apply -f camunda.yaml

helm install won't work as well.

i'm getting this error:

error: error validating "camunda.yaml": error validating data: [ValidationError(Deployment.spec.template.spec.containers[0]): unknown field "limits" in io.k8s.api.core.v1.Container, ValidationError(Deployment.spec.template.spec.containers[0]): unknown field "requests" in io.k8s.api.core.v1.Container]; if you choose to ignore these errors, turn validation off with --validate=false

My tasklist definition looks like this:

tasklist:
  resources:
    requests:
      cpu: 400m
      memory: 1Gi
    limits:
      cpu: 1000m
      memory: 2Gi

That is how it's templating for me:

# Source: camunda-platform/templates/tasklist/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: camunda-devops-test-tasklist
  labels:
    app: camunda-platform
    app.kubernetes.io/name: camunda-platform
    app.kubernetes.io/instance: camunda-devops-test
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: camunda-platform
    helm.sh/chart: camunda-platform-8.3.1
    app.kubernetes.io/version: "8.3.1"
    app.kubernetes.io/component: tasklist
  annotations:
    {}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: camunda-platform
      app.kubernetes.io/name: camunda-platform
      app.kubernetes.io/instance: camunda-devops-test
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/part-of: camunda-platform
      app.kubernetes.io/component: tasklist
  template:
    metadata:
      labels:
        app: camunda-platform
        app.kubernetes.io/name: camunda-platform
        app.kubernetes.io/instance: camunda-devops-test
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/part-of: camunda-platform
        helm.sh/chart: camunda-platform-8.3.1
        app.kubernetes.io/version: "8.3.1"
        app.kubernetes.io/component: tasklist
      annotations:
        checksum/config: 01fde189e6ce2d18ab0e4c6231ef295e627a14e6df6769736dfccd4d850e4e54
    spec:
      imagePullSecrets:
        []
      initContainers:
        []
      containers:
        - name: tasklist
          image: camunda/tasklist:8.3.1
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            privileged: false
            readOnlyRootFilesystem: true
            runAsUser: 1002
          env:
            - name: SPRING_PROFILES_ACTIVE
              value: "identity-auth"
            - name: SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUERURI
              value: "https://some_url.com"
            - name: SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWKSETURI
              value: "https://some_url.com"
            - name: CAMUNDA_TASKLIST_IDENTITY_BASEURL
              value: "http://camunda-devops-test-identity:8080"
            - name: CAMUNDA_TASKLIST_IDENTITY_ISSUER_URL
              value: "https://some_url.com"
            - name: CAMUNDA_TASKLIST_IDENTITY_ISSUER_BACKEND_URL
              value: "https://some_url.com"
            - name: CAMUNDA_TASKLIST_IDENTITY_CLIENT_ID
              value: "tasklist"
            - name: CAMUNDA_TASKLIST_IDENTITY_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: "camunda-devops-test-tasklist-identity-secret"
                  key: tasklist-secret
            - name: CAMUNDA_TASKLIST_IDENTITY_AUDIENCE
              value: "tasklist-api"
            - name: CAMUNDA_TASKLIST_IDENTITY_REDIRECT_ROOT_URL
              value: "https://some_url.com"
            - name: ZEEBE_CLIENT_ID
              value: zeebe
            - name: ZEEBE_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: "camunda-devops-test-zeebe-identity-secret"
                  key: zeebe-secret
            - name: ZEEBE_AUTHORIZATION_SERVER_URL
              value: "https://some_url.com"
            - name: ZEEBE_TOKEN_AUDIENCE
              value: zeebe-api
            - name: GRAPHQL_PLAYGROUND_ENABLED
              value: "true"
            - name: GRAPHQL_PLAYGROUND_SETTINGS_REQUEST_CREDENTIALS
              value: "include"
            - name: HOME
              value: /parent
            - name: ZEEBE_CLIENT_CONFIG_PATH
              value: /tmp/zeebe_auth_cache
          resources:
          limits:
            cpu: 1000m
            memory: 2Gi
          requests:
            cpu: 400m
            memory: 1Gi
          ports:
            - containerPort: 8080
              name: http
              protocol: TCP
          readinessProbe:
            httpGet:
              path: /actuator/health/readiness
              scheme: HTTP
              port: http
            initialDelaySeconds: 30
            periodSeconds: 30
            successThreshold: 1
            failureThreshold: 5
            timeoutSeconds: 1
          volumeMounts:
            - name: config
              mountPath: /app/resources/application.yml
              subPath: application.yml
            - mountPath: /tmp
              name: tmp
            - mountPath: /camunda
              name: camunda
      volumes:
        - name: config
          configMap:
            name: camunda-devops-test-tasklist
            defaultMode: 484
        - name: tmp
          emptyDir: {}
        - name: camunda
          emptyDir: {}
      securityContext:
        fsGroup: 1002
        runAsNonRoot: true

          resources:
          limits:
            cpu: 1000m
            memory: 2Gi
          requests:
            cpu: 400m
            memory: 1Gi

PG2000 commented 1 year ago

We're facing the same issues

aabouzaid commented 11 months ago

Thanks for reporting that issue. It has been fixed in 8.3.2.

camunda / camunda-platform-helm

[ISSUE] unknown field "spec.template.spec.containers[0].limits" and "spec.template.spec.containers[0].requests" warning #1010