Closed denist-huma closed 2 years ago
hi, @denist-huma may I ask quay.io/denistrofimov/mongodb-atlas-kubernetes:v0.6.1-dt - was this image built from the master branch? ( = what's the difference between versions with 0.6.1? can we get the commitID it was built on?)
Is this a cluster wide or multinamespaced configuration (was watched_namespace
used)? was the configuration from deploy/...
directory?
It would really help if you can provide operator deployment
yaml configuration, cluster role
/service account
/binding
yaml
what namespaces have atlasproject/cluster/user?
Thank you
hi, @denist-huma may I ask quay.io/denistrofimov/mongodb-atlas-kubernetes:v0.6.1-dt - was this image built from the master branch? ( = what's the difference between versions with 0.6.1? can we get the commitID it was built on?)
You are welcome, @leo-ri The 1st URL you listed leads to https://quay.io/repository/denistrofimov/mongodb-atlas-kubernetes?tag=v0.6.1-dt&tab=tags The commit corresponds to the tag of my fork, https://github.com/denist-huma/mongodb-atlas-kubernetes/releases/tag/v0.6.1-dt
Is this a cluster wide or multinamespaced configuration (was
watched_namespace
used)? was the configuration fromdeploy/...
directory? It would really help if you can provide operatordeployment
yaml configuration,cluster role
/service account
/binding
yaml what namespaces have atlasproject/cluster/user? Thank you
The cluster-wide, watched_namespace is not used, I have no clue about it, how it can help me? That was related to the 0.2.2 version of the chart
$ helm list -n atlas-operator
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
atlas-operator atlas-operator 6 2021-11-24 15:38:30.300030088 +0300 MSK deployed mongodb-atlas-operator-0.2.2 0.5.0
$ helm get values -n atlas-operator atlas-operator
USER-SUPPLIED VALUES:
affinity: {}
atlasURI: https://cloud.mongodb.com
disableAtlasClusterReconciler: "true"
fullnameOverride: ""
image:
pullPolicy: Always
repository: quay.io/denistrofimov/mongodb-atlas-kubernetes
tag: v0.6.1-dt
imagePullSecrets:
- name: regcred
mongodb-atlas-operator-crds:
enabled: true
nameOverride: ""
nodeSelector: {}
podAnnotations: {}
podSecurityContext:
runAsNonRoot: true
runAsUser: 2000
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 100m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
serviceAccount:
annotations: {}
create: true
name: ""
tolerations: []
watchNamespaces: ""
I searched in the output to help you.
helm get manifest -n atlas-operator atlas-operator > manifest.out.yaml
The problem I expect is in the role mongodb-atlas-operator-leader-election-role IMHO. That is the only one mention the "events" resource.
The root of the error is that role mongodb-atlas-operator-leader-election-role is in the namespace: atlas-operator But the AtlasDatabaseUser is in the namespace "operator-sandbox" as I said in the first message.
While creating AtlasDatabaseUser "operator-sandbox/todo-app". User "system:serviceaccount:atlas-operator:mongodb-atlas-operator" cannot create resource "events" in API group "" in the namespace "operator-sandbox"
That I took from a live deployment:
# $ kg -o yaml role mongodb-atlas-operator-leader-election-role -n atlas-operator
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
meta.helm.sh/release-name: atlas-operator
meta.helm.sh/release-namespace: atlas-operator
creationTimestamp: "2021-07-07T16:05:53Z"
labels:
app.kubernetes.io/managed-by: Helm
name: mongodb-atlas-operator-leader-election-role
namespace: atlas-operator
resourceVersion: "178576170"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/atlas-operator/roles/mongodb-atlas-operator-leader-election-role
uid: 2b9b0b66-a08b-4bbe-a45e-c52168e549e5
rules:
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
@denist-huma,
The version in this repo (0.6.0+) does not match the version of the operator chart 0.2.2, repo version requires the use of chart mongodb-atlas-operator-0.2.4
or higher (0.2.5). Reconciliation events were introduced later in operator 0.6.0 version and chart version 0.2.2 does not have the right permissions for the serviceaccount
, permissions were added in 0.2.4-0.2.5 atlas-operator chart
@leo-ri hey thanks for the suggestion. I switched to my updated fork of the chart now https://github.com/denist-huma/helm-charts/tree/compose-operator-dep.
What did you do to encounter the bug? Steps to reproduce the behavior:
While creating AtlasDatabaseUser "operator-sandbox/todo-app". User "system:serviceaccount:atlas-operator:mongodb-atlas-operator" cannot create resource "events" in API group "" in the namespace "operator-sandbox"
What did you expect? A clear and concise description of what you expected to happen.
Put an event I guess.
What happened instead? A clear and concise description of what happened instead
nothing
Screenshots If applicable, add screenshots to help explain your problem.
Operator Information
Kubernetes Cluster Information
Additional context Add any other context about the problem here.
If possible, please include:
kubectl describe
output