search

devtron-labs / devtron

Tool integration platform for Kubernetes
https://devtron.ai
Apache License 2.0
4.36k stars 477 forks source link

Bug: Missing Service Account in `app-manual-sync-job` #5543

Closed badal773 closed 2 months ago

badal773 commented 2 months ago

📜 Description

We are currently using an OpenShift environment where pods are granted permissions based on the attached service account. However, the app-manual-sync-job does not have a service account attached and the job is initiated or triggered from the backend , causing it to fail due to insufficient permissions.

app-manual-sync-job-dgknh: {"level":"error","ts":1717654271.253899,"caller":"pkg/RepoManager.go:186","msg":"error in registry login, RegistryLogin","DockerArtifactStoreId":"harbor","err":"mkdir /.config: permission denied","stacktrace":"github.com/devtron-labs/chart-sync/pkg.(*HelmRepoManagerImpl).RegistryLogin\n\t/go/src/github.com/devtron-labs/chart-sync/pkg/RepoManager.go:186\ngithub.com/devtron-labs/chart-sync/pkg.(*SyncServiceImpl).syncOCIRepo\n\t/go/src/github.com/devtron-labs/chart-sync/pkg/SyncService.go:165\ngithub.com/devtron-labs/chart-sync/pkg.(*SyncServiceImpl).Sync\n\t/go/src/github.com/devtron-labs/chart-sync/pkg/SyncService.go:102\nmain.(*App).Start\n\t/go/src/github.com/devtron-labs/chart-sync/App.go:26\nmain.main\n\t/go/src/github.com/devtron-labs/chart-sync/main.go:12\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:250"}

👟 Reproduction steps

  1. Deploy the app-manual-sync-job in the OpenShift environment.
  2. Observe the job failing due to permission errors.

👍 Expected behavior

The app-manual-sync-job should have a service account attached, ensuring it has the necessary permissions to run successfully.

👎 Actual Behavior

The job is failing because no service account is attached, leading to permission issues.

☸ Kubernetes version

1.23

Cloud provider

openshift

🌍 Browser

Chrome

🧱 Your Environment

No response

✅ Proposed Solution

Attach a suitable service account to the app-manual-sync-job to ensure it has the required permissions to execute.

serviceAccountName: chart-sync

If possible, could we obtain a template from the user to include additional security policies and other relevant information?

👀 Have you spent some time to check if this issue has been raised before?

🏢 Have you read the Code of Conduct?

AB#10209

azure-boards[bot] commented 2 months ago

❌ There was a problem linking to Azure Boards work item(s):

Please check the IDs and try again using the AB# syntax. Learn more

azure-boards[bot] commented 2 months ago

❌ There was a problem linking to Azure Boards work item(s):

Please check the IDs and try again using the AB# syntax. Learn more