search

crossplane-contrib / provider-ansible

Crossplane provider to execute Ansible contents remotely inside a Kubernetes cluster.
Apache License 2.0
61 stars 24 forks source link

403 iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket #120

Closed braghettos closed 2 years ago

braghettos commented 2 years ago

What happened?

I'm testing the following example: https://github.com/crossplane-contrib/provider-ansible/blob/main/examples/ansible/ansibleRun-ObserveAndDelete-policy.yml. The provider doesn't log anything, even in debug mode using a ControllerConfig. In the status of the CR I just see an 'EXIT 2' message.

How can we reproduce it?

I have create a serviceaccount in GCP with the Ower role, generated a new key and downloaded the credentials json and put them encoded in the secret: https://github.com/crossplane-contrib/provider-ansible/blob/main/examples/ansible/ansibleRun-ObserveAndDelete-policy.yml#L35

If I just use ansible cli to be sure that the playbook is correct, I get the following error:

"msg": "GCP returned error: {'error': {'code': 403, 'message': 'xx@yy.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket.', 'errors': [{'message': 'xx@yy.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket.', 'domain': 'global', 'reason': 'forbidden'}]}}"

What environment did it happen in?

braghettos commented 2 years ago

Digging deeper, I found the following log error:

[localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "acl": null,
            "auth_kind": "serviceaccount",
            "cors": null,
            "default_event_based_hold": null,
            "default_object_acl": null,
            "env_type": null,
            "labels": null,
            "lifecycle": null,
            "location": null,
            "logging": null,
            "metageneration": null,
            "name": "krateo-demo-provider-ansible-06",
            "owner": null,
            "predefined_default_object_acl": null,
            "project": "authentic-lotus-365212",
            "scopes": [
                "[https://www.googleapis.com/auth/devstorage.full_control"](https://www.googleapis.com/auth/devstorage.full_control%22)
            ],
            "service_account_contents": null,
            "service_account_email": null,
            "service_account_file": "gcp-credentials.json",
            "state": "present",
            "storage_class": null,
            "versioning": null,
            "website": null
        }
    },
    "msg": "Please install the requests library"
}

Basically the python library 'requests' is missing in the Dockerfile, which should become this one:

FROM alpinelinux/ansible
RUN apk --no-cache add ca-certificates bash
RUN pip3 install ansible-runner requests

ARG TARGETOS
ARG TARGETARCH

ADD bin/$TARGETOS\_$TARGETARCH/provider /usr/local/bin/crossplane-ansible-provider

# As of Crossplane v1.3.0 provider controllers run as UID 2000.
# https://github.com/crossplane/crossplane/blob/v1.3.0/internal/controller/pkg/revision/deployment.go#L32
RUN adduser --disabled-password --uid 2000 ansible
RUN passwd -d ansible

RUN mkdir /ansibleDir /.ansible
RUN chown ansible /ansibleDir /.ansible

EXPOSE 8080
USER ansible
ENTRYPOINT ["crossplane-ansible-provider"]
braghettos commented 2 years ago

I prepared the PR: https://github.com/crossplane-contrib/provider-ansible/pull/121

fahedouch commented 2 years ago

Hi @braghettos,

thank you for raising this issue. The dockerfile contains only the base libraries to run the ansible commands. All missed libraries should be installed by adding a new playbook task(s).
Would you please check again with this fix https://github.com/crossplane-contrib/provider-ansible/pull/125.