Closed manobi closed 2 years ago
Hi @manobi , looking into this
@nathancoleman if there is something I can do by editing the Helm release, just tell me and I can try to help you debug. Thank you.
@manobi I'm working on validating the change in https://github.com/hashicorp/consul-k8s/pull/1481 which I believe should fix this issue
@manobi The fix that I linked above allows the acl-init job to complete for the API Gateway controller successfully when following the Federation Between Kubernetes Clusters guide; however, there are other issues beyond that one which prevent the controller-per-cluster setup described in https://github.com/hashicorp/consul-api-gateway/issues/300 from working. Does the setup described there match what you're wanting to do?
@nathancoleman My setup is based on Federation Between Kubernetes Clusters guide.
Having a single API gateway for all clusters is not a requirement for me. I only need the API gateway working in the secondary cluster, routing requests for services running in secondary cluster (unlike https://github.com/hashicorp/consul-api-gateway/issues/300).
@nathancoleman, whilst having a single API gateway would be very useful for me, it's not a definite requirement. At the moment I cannot get either option to work.
Ideally I'd like to be able to expose each service one one API gateway, but also separate API gateways, depending on the use for the gateway (for example client visibility etc.)
Also, a single datacenter doesn't really work due to the requirement for communication between pods in different clusters. It is important that the networks are kept separate.
Please keep me updated, currently I don't have a good alternative solution.
@codex70 please see https://github.com/hashicorp/consul-k8s/issues/1344#issuecomment-1246987277
Community Note
Overview of the Issue
v0.48.0 uses k8s-auth when in secondary datacenters [GH-1462](by @nathancoleman), but after this upgrade API Gateway controller acl-init never finishes.
As mentioned in original issue, the consul-api-gateway-controller service account does not seems to have enough permission to perform authentication:
I've managed to run the following command in
controller-acl-init
but not inapi-gateway-controller-acl-init
container:I have also been able to complete the
initContainer
using the "consul-controller" service account instead of "consul-api-gateway-controller".But right now the Helm chart is broken and I have to keep api gateway disabled to keep using it.
Reproduction Steps
Logs
Expected behavior
Consul api-gateway-controller service account is expected to have authorization to run api gateway acl init.
Environment details
Additional Context