search

isindir / sops-secrets-operator

Kubernetes SOPS secrets operator
Mozilla Public License 2.0
323 stars 30 forks source link

0.1.9 - error in kustomize configuration for entrypoint #47

Closed so0k closed 3 years ago

so0k commented 3 years ago

Seems the manager deploy manifest has wrong entrypoint:

  Normal   Pulled     11s (x2 over 12s)  kubelet, ...  Container image "isindir/sops-secrets-operator:0.1.9" already present on machine
  Normal   Created    11s (x2 over 12s)  kubelet, ...  Created container manager
  Warning  Failed     10s (x2 over 12s)  kubelet, ...  Error: failed to start container "manager": Error response from daemon: OCI runtime create failed: container_linux.go:370: starting container process caused: exec: "/manager": stat /manager: no such file or directory: unknown

Fix for 0.1.9:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

images:
- name: controller
  newName: isindir/sops-secrets-operator
  newTag: 0.1.9

namespace: sops-secrets-operator-system

bases:
- github.com/isindir/sops-secrets-operator/config/default/?ref=0.1.9

patches:
  - target:
      kind: Deployment
      name: sops-secrets-operator-controller-manager
    patch: |-
      - op: replace
        path: /spec/template/spec/containers/1/command
        value: [ /usr/local/bin/manager ]
so0k commented 3 years ago

For reference - if you're using EKS IAM, need to patch fsGroup (this is not a bug, just help for others)

      - op: add
        path: /spec/template/spec/securityContext
        value:
          fsGroup: 1000
so0k commented 3 years ago

I could try and do a PR, but I'm handling it through kustomize for now

for others moving to server side applies, need to add the protocol to the ports see: https://github.com/kubernetes-sigs/structured-merge-diff/issues/130:

patches:
  - target:
      kind: Deployment
      name: sops-secrets-operator-controller-manager
    patch: |-
      - op: add
        path: /spec/template/spec/containers/0/ports/0/protocol
        value: TCP
  - target:
      kind: Service
      name: sops-secrets-operator-controller-manager-metrics-service
    patch: |-
      - op: add
        path: /spec/ports/0/protocol
        value: TCP
isindir commented 3 years ago

@so0k , are you using helm chart or plain resources via kustomize ? I'm not supporting plain kustomizations, never did any changes to it since helm is preferred way to install this operator. If helm chart - for the fsGroup - values contain security Context, need to enable it. I'll patch fsGroup to become same as runAsUser - 1000. I'll address some of the issues, but please feel free to send PRs here for kustomizations. Just need to check if these will be overwritten by regenerating the code. This service is not part of the helm chart either, as I have not implemented prometheus metrics. Thanks for reporting.

isindir commented 3 years ago

closing this issue, won't do any changes right now, if you still need any changes in kustomization please create another ticket