search

openshift-pipelines / pipeline-service

SaaS for Tekton Pipelines
Apache License 2.0
23 stars 44 forks source link

Remove immutability to chains signing-secrets #962

Closed Roming22 closed 5 months ago

Roming22 commented 5 months ago

Now that the secret is managed by an ExternalSecret, the secret should not be immutable so the secret can be synced.

rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED

Roming22 commented 5 months ago

@gabemontero I'll slowly be adding back the changes that we needed to revert when I deprecated the creation of the signing-secrets. This change has been validated on infra-deployment in this PR.

Roming22 commented 5 months ago

Here are the links to the PRs that:

gabemontero commented 5 months ago

Here are the links to the PRs that:

* [gives ownership of the signing-secret to ExternalSecret](https://github.com/redhat-appstudio/infra-deployments/pull/3276)

* [sets the Orphan flag](https://github.com/redhat-appstudio/infra-deployments/pull/3288).

yep those are the guys

does it make sense to add some comment in the script noting those items dependencies for the signing secret stuff in this repo?

Roming22 commented 5 months ago

/retest

gabemontero commented 5 months ago

ok I'll watch the test logs live, see if I can ascertain what is up

/retest

gabemontero commented 5 months ago

also, given the validation that has already occurred in https://github.com/openshift-pipelines/tektoncd-results/pull/65 I'm inclined to merge this if these pipeline-service CI issues cannot be sorted out, but let's see how much triage process I can make today.

fwiw, the 2 current test jobs have been stuck in deploy-cluster for about 25 minutes as I type

gabemontero commented 5 months ago

So this error was repeated server times in deploy-pipeline-service:

+ echo '[cluster-setup]'
+ echo '- Enabling HTTP2 for ingress:'
+ oc annotate ingresses.config/cluster ingress.operator.openshift.io/default-enable-http2=true --overwrite=true
+ indent 2
+ offset=2
++ printf %2s
+ sed 's/^/  /'
Error from server (Only privileged service accounts may access): admission webhook "ingress-config-validation.managed.openshift.io" denied the request: Only privileged service accounts may access
command terminated with exit code 1
Failed to execute dev_setup.sh script, retrying ...
+ echo 'Failed to execute dev_setup.sh script, retrying ...'
+ sleep 5

but the task was ultimately deemed successful.

Then, test-pipeline-service failed quickly with:

[chains]
+ kubectl apply -k /workspace/source/operator/test/manifests/test/tekton-chains -n plnsvc-tests
serviceaccount/chains-test created
rolebinding.rbac.authorization.k8s.io/chains-test-edit-rolebinding created
rolebinding.rbac.authorization.k8s.io/chains-test-scc-rolebinding created
error: resource mapping not found for name: "simple-copy" namespace: "plnsvc-tests" from "/workspace/source/operator/test/manifests/test/tekton-chains": no matches for kind "Pipeline" in version "tekton.dev/v1"
ensure CRDs are installed first
command terminated with exit code 1
+ exit 1

which tells me the deploy-pipeline-service really did fail as the CRDs are not there

attaching the logs for others, I'll start looking at them in detail deploy-pipeline-service.log test-pipeline-service.log