search

cloud-native-toolkit / site-developer-guide

This repository will host the Developer Guide for the IBM Garage Cloud Native Toolkit
https://develop.cloudnativetoolkit.dev
Apache License 2.0
29 stars 57 forks source link

fast start install failed on IBM ROKS cluster due to `unthorized` error pulling image quay.io/bitnami/sealed-secrets-controller:v0.17.1 #503

Open shiliy opened 2 years ago

shiliy commented 2 years ago

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior: curl -sfL get.cloudnativetoolkit.dev | sh - failed with 

│ Error: local-exec provisioner error
│ 
│   with module.cicd.module.sealed_secrets.null_resource.create_instance,
│   on .terraform/modules/cicd.sealed_secrets/main.tf line 81, in resource "null_resource" "create_instance":
│   81:   provisioner "local-exec" {
│ 
│ Error running command
│ '.terraform/modules/cicd.sealed_secrets/scripts/create-instance.sh
│ sealed-secrets': exit status 1. Output: Installing sealed secrets
│ controller
│ Release "sealed-secrets" does not exist. Installing it now.
│ NAME: sealed-secrets
│ LAST DEPLOYED: Fri May  6 12:50:53 2022
│ NAMESPACE: sealed-secrets
│ STATUS: deployed
│ REVISION: 1
│ TEST SUITE: None
│ Waiting for deployment/sealed-secrets in sealed-secrets
│ Waiting for deployment "sealed-secrets" rollout to finish: 0 of 1 updated
│ replicas are available...
│ error: deployment "sealed-secrets" exceeded its progress deadline

And details on the failed pod: 

 oc describe pod sealed-secrets-5684c9b6-x2zgv
Name:         sealed-secrets-5684c9b6-x2zgv
Namespace:    sealed-secrets
Priority:     0
Node:         10.87.171.248/10.87.171.248
Start Time:   Fri, 06 May 2022 08:50:57 -0400
Labels:       app.kubernetes.io/instance=sealed-secrets
              app.kubernetes.io/name=sealed-secrets
              pod-template-hash=5684c9b6
Annotations:  cni.projectcalico.org/containerID: 644bbb2630b6a46f0dd5eabecdc2a2f557290ba121e62bef74e68c6f9f093e90
              cni.projectcalico.org/podIP: 172.30.8.181/32
              cni.projectcalico.org/podIPs: 172.30.8.181/32
              k8s.v1.cni.cncf.io/network-status:
                [{
                    "name": "k8s-pod-network",
                    "ips": [
                        "172.30.8.181"
                    ],
                    "default": true,
                    "dns": {}
                }]
              k8s.v1.cni.cncf.io/networks-status:
                [{
                    "name": "k8s-pod-network",
                    "ips": [
                        "172.30.8.181"
                    ],
                    "default": true,
                    "dns": {}
                }]
              openshift.io/scc: sealed-secrets-sealed-secrets-anyuid
Status:       Pending
IP:           172.30.8.181
IPs:
  IP:           172.30.8.181
Controlled By:  ReplicaSet/sealed-secrets-5684c9b6
Containers:
  controller:
    Container ID:  
    Image:         quay.io/bitnami/sealed-secrets-controller:v0.17.1
    Image ID:      
    Port:          8080/TCP
    Host Port:     0/TCP
    Command:
      controller
    Args:
      --key-prefix
      sealed-secret-key
    State:          Waiting
      Reason:       ImagePullBackOff
    Ready:          False
    Restart Count:  0
    Liveness:       http-get http://:http/healthz delay=0s timeout=1s period=10s #success=1 #failure=3
    Readiness:      http-get http://:http/healthz delay=0s timeout=1s period=10s #success=1 #failure=3
    Environment:    <none>
    Mounts:
      /tmp from tmp (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-gj2md (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  tmp:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  kube-api-access-gj2md:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
    ConfigMapName:           openshift-service-ca.crt
    ConfigMapOptional:       <nil>
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason          Age                  From               Message
  ----     ------          ----                 ----               -------
  Normal   Scheduled       10m                  default-scheduler  Successfully assigned sealed-secrets/sealed-secrets-5684c9b6-x2zgv to 10.87.171.248
  Normal   AddedInterface  10m                  multus             Add eth0 [172.30.8.181/32] from k8s-pod-network
  Normal   Pulling         8m8s (x4 over 10m)   kubelet            Pulling image "quay.io/bitnami/sealed-secrets-controller:v0.17.1"
  Warning  Failed          7m56s (x4 over 10m)  kubelet            Failed to pull image "quay.io/bitnami/sealed-secrets-controller:v0.17.1": rpc error: code = Unknown desc = reading manifest v0.17.1 in quay.io/bitnami/sealed-secrets-controller: unauthorized: access to the requested resource is not authorized
  Warning  Failed          7m56s (x4 over 10m)  kubelet            Error: ErrImagePull
  Warning  Failed          7m34s (x6 over 10m)  kubelet            Error: ImagePullBackOff
  Normal   BackOff         21s (x37 over 10m)   kubelet            Back-off pulling image "quay.io/bitnami/sealed-secrets-controller:v0.17.1"

Expected behavior A clear and concise description of what you expected to happen. - successful installation

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):