Policy servers are not created if all resources are created at once

[ereslibre]

Policy server deployments are not created

Reproducer:

• Deploy cert-manager: kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml

• Deploy the latest kubewarden-controller. The helm chart on the new-architecture branch, plus this patch:

diff --git a/charts/kubewarden-controller/Chart.yaml b/charts/kubewarden-controller/Chart.yaml
index f42f6ea..057325d 100644
--- a/charts/kubewarden-controller/Chart.yaml
+++ b/charts/kubewarden-controller/Chart.yaml
@@ -16,4 +16,4 @@ maintainers:
 version: 0.2.2

 # This is the version of kubewarden-controller container image to be used
-appVersion: "v0.3.2"
+appVersion: "latest"
diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml
index fa88375..9a7b153 100644
--- a/charts/kubewarden-controller/values.yaml
+++ b/charts/kubewarden-controller/values.yaml
@@ -20,7 +20,7 @@ policyServer:
   replicaCount: 1
   image:
     repository: ghcr.io/kubewarden/policy-server
-    tag: "v0.1.10"
+    tag: "v0.2.1"
   serviceAccountName: policy-server
 # All permissions are cluster-wide. Even namespaced resources are
 # granted access in all namespaces at this time.

And run: helm install --wait --namespace kubewarden --create-namespace kubewarden-controller charts/kubewarden-controller

• Deploy the policy servers and the clusteradmissionpolicies together

$ kubectl apply -f - <<EOF
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa1
---
apiVersion: policies.kubewarden.io/v1alpha2
kind: PolicyServer
metadata:
  name: policyserver1
spec:
  image: ghcr.io/kubewarden/policy-server:v0.2.1
  replicas: 1
  env:
    - name: KUBEWARDEN_LOG_LEVEL
      value: debug
    - name: KUBEWARDEN_LOG_FMT
      value: jaeger
  annotations:
    sidecar.jaegertracing.io/inject: default
  serviceAccountName: sa1
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa2
---
apiVersion: policies.kubewarden.io/v1alpha2
kind: PolicyServer
metadata:
  name: policyserver2
spec:
  image: ghcr.io/kubewarden/policy-server:v0.2.1
  replicas: 1
  env:
    - name: KUBEWARDEN_LOG_LEVEL
      value: debug
    - name: KUBEWARDEN_LOG_FMT
      value: jaeger
  annotations:
    sidecar.jaegertracing.io/inject: default
  serviceAccountName: sa2
---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-capabilities
spec:
  policyServer: policyserver1
  module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: true
  settings:
    allowed_capabilities:
    - CHOWN
    required_drop_capabilities:
    - NET_ADMIN
---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-capabilities2
spec:
  policyServer: policyserver2
  module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: true
  settings:
    allowed_capabilities:
    - CHOWN
    required_drop_capabilities:
    - NET_ADMIN
---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-capabilities3
spec:
  policyServer: policyserver1
  module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: true
  settings:
    allowed_capabilities:
    - CHOWN
    required_drop_capabilities:
    - NET_ADMIN
---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-capabilities4
spec:
  policyServer: policyserver2
  module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: true
  settings:
    allowed_capabilities:
    - CHOWN
    required_drop_capabilities:
    - NET_ADMIN
---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-capabilities5
spec:
  policyServer: policyserver1
  module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: true
  settings:
    allowed_capabilities:
    - CHOWN
    required_drop_capabilities:
    - NET_ADMIN

This leads to policy servers custom resources being created, but were never reconciled. They don't have any conditions, and there is only one PolicyServer deployment: the default one.

Policies are all in pending state:

~ » k get clusteradmissionpolicy
NAME                MUTATING   STATUS
psp-capabilities    true       pending
psp-capabilities2   true       pending
psp-capabilities3   true       pending
psp-capabilities4   true       pending
psp-capabilities5   true       pending

[ereslibre]

The service account was created in the wrong namespace, sorry for the noise. Closing, works flawlessly!

[flavio]

Also, don't use if you're not going to have a jaeger sidecar collecting the logs:

    - name: KUBEWARDEN_LOG_FMT
      value: jaeger

In this configuration, policy-server will attempt to connect to localhost:something, it will expect the jaeger collector to be there listening for incoming traces. If nothing is listening, this will cause an error inside of the policy-server. I think policy-server will keep running, but I'm not 100% sure

[ereslibre]

In this configuration, policy-server will attempt to connect to localhost:something, it will expect the jaeger collector to be there listening for incoming traces. If nothing is listening, this will cause an error inside of the policy-server. I think policy-server will keep running, but I'm not 100% sure

It was running... but to be honest I was more focused on the behavior of the upper part of the stack. Thanks for the detail though!