Not able to deploy Danm 4.3.0 in kubernetes 1.21.8 using installer job.

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

bug feature

What happened: Not able to deploy Danm 4.3.0 in kubernetes 1.21.8 using installer job.

What you expected to happen: Danm should get deployed in Kubernetes 1.21.8 using installer job. How to reproduce it: kubectl apply -f integration/install

Anything else we need to know?:

controller-0:~$ kubectl logs -f -n kube-system danm-installer-g6xmc
Using configured image registry prefix: 10.222.26.1:30003/danm/
Using configured image tag: :2.0
Not using any image pull secret
Using supplied CNI configuration data

Using supplied CA certificate

Applying CRDs to extend Kubernetes API...
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/clusternetworks.danm.k8s.io unchanged
customresourcedefinition.apiextensions.k8s.io/danmeps.danm.k8s.io unchanged
customresourcedefinition.apiextensions.k8s.io/tenantconfigs.danm.k8s.io unchanged
customresourcedefinition.apiextensions.k8s.io/tenantnetworks.danm.k8s.io unchanged

Creating Service Account
error: failed to create serviceaccount: serviceaccounts "danm" already exists
clusterrole.rbac.authorization.k8s.io/caas:danm unchanged
clusterrolebinding.rbac.authorization.k8s.io/caas:danm unchanged

Creating WebHook certificate...
creating certs in tmpdir /tmp/tmp.ldAphE
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
.....................+++++
e is 65537 (0x010001)
Warning: certificates.k8s.io/v1beta1 CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use certificates.k8s.io/v1 CertificateSigningRequest
Error from server (AlreadyExists): error when creating "STDIN": certificatesigningrequests.certificates.k8s.io "danm-webhook-svc.kube-system" already exists

Environment:

DANM version (use danm -version): 4.3.0
Kubernetes version (use kubectl version): 1.21.8

DANM configuration (K8s manifests, kubeconfig files, CNI config file):


apiVersion: v1
kind: ServiceAccount
metadata:
name: danm-installer
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: caas:danm-installer
rules:

apiGroups:
- apiextensions.k8s.io resources:
- customresourcedefinitions verbs: [ "*" ]
apiGroups:
- rbac.authorization.k8s.io resources:
- clusterroles
- clusterrolebindings verbs:
- get
- create
- patch
apiGroups:
- "*" resources:
- serviceaccounts verbs:
- create
- get
- patch
apiGroups:
- "*" resources:
- secrets verbs:
- get
apiGroups:
- "" resources:
- pods verbs:
- get
- watch
- list
apiGroups:
- danm.k8s.io resources:
- clusternetworks
- danmeps
- danmnets
- tenantnetworks
- tenantconfigs verbs:
- "*"
apiGroups:
- "apps" resources:
- daemonsets
- deployments verbs:
- get
- create
- patch
apiGroups:
- "" resources:
- configmaps
- secrets
- services verbs:
- get
- create
- patch
apiGroups:
- "certificates.k8s.io" resources:
- certificatesigningrequests verbs:
- get
- list
- watch
- create
- update
apiGroups:
- "certificates.k8s.io" resources:
- certificatesigningrequests/approval verbs:
- update
apiGroups:
- "certificates.k8s.io" resources:
- signers resourceNames:
- kubernetes.io/legacy-unknown verbs:
- approve
apiGroups:
- "admissionregistration.k8s.io" resources:
- mutatingwebhookconfigurations verbs:
- get
- create
- patch
apiGroups:
- "" resources:
- endpoints verbs:
- list
- watch
- get
- update
- create
- delete
apiGroups:
- "" resources:
- events verbs:
- create
- update
- get
apiGroups:
- "" resources:
- services verbs:
- list
- watch
  
  apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: caas:danm-installer roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: caas:danm-installer subjects:
kind: ServiceAccount name: danm-installer namespace: kube-system

apiVersion: v1 kind: ConfigMap metadata: namespace: kube-system name: danm-installer-config data: #

DANM deployment mode. This MUST be either "lightweight" or "production". Please see the DANM user guide for

details on the two modes.

# deploy_mode: production

#

CNI configuration directory. Typically, this is "/etc/cni/net.d". This is the directory where your

current (bootstrap) CNI configuration is located, too.

# cni_dir: /etc/cni/net.d

#

CNI naming scheme. See section "Naming container interfaces" in the user guide for a more detailed

discussion. Set this parameter to "legacy" if you wish container interface names to be set exactly

according to DanmNet.Spec.Options.container_prefix, or to an empty string if you wish the first

interface to always be named "eth0".

# cni_naming_scheme: "legacy"

#

[OPTIONAL] Kubernetes API Root CA certificate. If left blank, the installer will obtain the

API server certificate from the Kubernetes API. Note, however, that placing a certificate here

is technically more secure (as it provides external verification of the CA certificate, rather

than blindly trusting the certificate that we see from the server) and also more future-proof

if the individual API server's certificate ever were to change in the future, to put the Root

CA certificate here. You can obtain this, for example, by running:

#

kubectl config view \

--flatten \

-o jsonpath='{.clusters[0].cluster.certificate-authority-data} \

| base64 -d

#

api_ca_cert: | -----BEGIN CERTIFICATE----- MIIC+jCCAeKgAwIBAgIIk8HzEIXtYm4wDQYJKoZIhvcNAQELBQAwIzEhMB8GA1UE AwwYY3NibHJsYWJzdnRjYzJlYzEwNGFkbWluMB4XDTIyMDIyMTA1NTQzM1oXDTQy MDIyMTA1NTQzM1owIzEhMB8GA1UEAwwYY3NibHJsYWJzdnRjYzJlYzEwNGFkbWlu MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1WBotGz6oqaZTYgDbLit wAsNe4+rJgcWVBAxlZ6BYJVtomISxx9VhYd+QgV5PaMMYl+GBJF/kP1mji+8uQNk SHXdf0y8IFAExYcLcAbQdjySHl/6Fjck5JNpXH1HMqrGSScKutb6k6AhfJk6iuBe IevssR6zIv3bn+gJTxhMFVkAoRLUjxfgEdRc+mzTCiZGHMnA0vCmHxtUEEc/gIjK 3dNcSCPPzK7fMgEia/ysG4S7EBHDXaoEzQoMkVVwrKNz7mb7oNSOXOx8bpRGbA== -----END CERTIFICATE----- #

This is the type of the CNI plugin used for your default (bootstrap) network.

The value can also be found in the "type" field of your bootstrap CNI configuration

file, eg. "cat ${cni_dir}/${default_cni_network_id}.conf | jq -Mr '.type'"

# default_cni_type: calico

#

The name of your bootstrap CNI configuration file, without the .conf extension.

This means that on each node in your cluster, in the ${cni_dir} directory, a file

with the name of "${default_cni_network_id}.conf" must exist. Alternatively,

a file with this name will be created if the ${default_cni_config_data} parameter

is also provided (below).

# default_cni_network_id: calico

#

[OPTIONAL] Bootstrap CNI configuration data. Typically, your bootstrap CNI plugin

should already be configured, so using this option should not be necessary. However,

there may be situations where using this option may be useful to distribute an

alternative configuration file for your bootstrap CNI plugin. If provided, the

contents of this variable are going to be written to a file named

"${default_cni_network_id}.conf" as above.

#

default_cni_config_data: | { "name": "k8s-pod-network", "cniVersion": "0.3.1", "type": "calico", "log_level": "info", "datastore_type": "kubernetes", "mtu": 1440, "ipam": { "type": "calico-ipam", "assign_ipv4": "true", "assign_ipv6": "false" }, "policy": { "type": "k8s" }, "kubernetes": { "kubeconfig": "/etc/cni/net.d/calico-kubeconfig" } }

#

[OPTIONAL] A prefix (such as a registry name) to be included in each container image.

Note that this can be any prefix you like, but if it is a registry name, then

the value specified here needs to include the trailing slash.

#

For example, if you wish to pull your "netwatcher" image from

"my-registry.example.com/namespace/netwatcher", then set this value to

"my-registry.example.com/namespace/". The same prefix will be applied for

all images.

# image_registry_prefix: 10.222.26.1:30003/danm/

#

[OPTIONAL] Image tag for each image. Defaults to "latest" if none specified.

# image_tag: "2.0"

#

[OPTIONAL] If your registry needs authentication, then this is the name

of a Kubernetes secret with registry credentials. This secret must already

exist and is not created by the installer.

#

image_pull_secret: my-registry-secret

#

Image Pull policy. Can be "Always", "Never", or "IfNotPresent".

# image_pull_policy: Always

apiVersion: batch/v1 kind: Job metadata: name: danm-installer namespace: kube-system spec: template: spec: serviceAccountName: danm-installer containers:
- name: danm-installer volumeMounts:
  - name: danm-installer-config mountPath: /config
    
    Update the next two lines as needed
    
    image: 10.222.26.1:30003/danm/danm-installer:2.0 imagePullPolicy: Always
  volumes:
- name: danm-installer-config configMap: name: danm-installer-config terminationGracePeriodSeconds: 0 restartPolicy: OnFailure
  
  Add this if needed:
  
  imagePullSecrets:
  
  - name: my-registry-secret

OS (e.g. from /etc/os-release):

Linux controller-0 5.10.74-200.1642.tis.rt.el7.x86_64 #1 SMP PREEMPT_RT Mon Jan 10 04:28:10 EST 2022 x86_64 x86_64 x86_64 GNU/Linux
CentOS Linux release 7.6.1810 (Core)

nokia / danm

Not able to deploy Danm 4.3.0 in kubernetes 1.21.8 using installer job. #266

watch

kind: ServiceAccount name: danm-installer namespace: kube-system

DANM deployment mode. This MUST be either "lightweight" or "production". Please see the DANM user guide for

details on the two modes.

CNI configuration directory. Typically, this is "/etc/cni/net.d". This is the directory where your

current (bootstrap) CNI configuration is located, too.

CNI naming scheme. See section "Naming container interfaces" in the user guide for a more detailed

discussion. Set this parameter to "legacy" if you wish container interface names to be set exactly

according to DanmNet.Spec.Options.container_prefix, or to an empty string if you wish the first

interface to always be named "eth0".

[OPTIONAL] Kubernetes API Root CA certificate. If left blank, the installer will obtain the

API server certificate from the Kubernetes API. Note, however, that placing a certificate here

is technically more secure (as it provides external verification of the CA certificate, rather

than blindly trusting the certificate that we see from the server) and also more future-proof

if the individual API server's certificate ever were to change in the future, to put the Root

CA certificate here. You can obtain this, for example, by running:

kubectl config view \

--flatten \

-o jsonpath='{.clusters[0].cluster.certificate-authority-data} \

| base64 -d

This is the type of the CNI plugin used for your default (bootstrap) network.

The value can also be found in the "type" field of your bootstrap CNI configuration

file, eg. "cat ${cni_dir}/${default_cni_network_id}.conf | jq -Mr '.type'"

The name of your bootstrap CNI configuration file, without the .conf extension.

This means that on each node in your cluster, in the ${cni_dir} directory, a file

with the name of "${default_cni_network_id}.conf" must exist. Alternatively,

a file with this name will be created if the ${default_cni_config_data} parameter

is also provided (below).

[OPTIONAL] Bootstrap CNI configuration data. Typically, your bootstrap CNI plugin

should already be configured, so using this option should not be necessary. However,

there may be situations where using this option may be useful to distribute an

alternative configuration file for your bootstrap CNI plugin. If provided, the

contents of this variable are going to be written to a file named

"${default_cni_network_id}.conf" as above.

[OPTIONAL] A prefix (such as a registry name) to be included in each container image.

Note that this can be any prefix you like, but if it is a registry name, then

the value specified here needs to include the trailing slash.

For example, if you wish to pull your "netwatcher" image from

"my-registry.example.com/namespace/netwatcher", then set this value to

"my-registry.example.com/namespace/". The same prefix will be applied for

all images.

[OPTIONAL] Image tag for each image. Defaults to "latest" if none specified.

[OPTIONAL] If your registry needs authentication, then this is the name

of a Kubernetes secret with registry credentials. This secret must already

exist and is not created by the installer.

image_pull_secret: my-registry-secret

Image Pull policy. Can be "Always", "Never", or "IfNotPresent".

# image_pull_policy: Always

Update the next two lines as needed

Add this if needed:

imagePullSecrets:

- name: my-registry-secret

The name of your bootstrap CNI configuration file, without the `.conf` extension.