search

oracle-actions / configure-kubectl-oke

Install and configure Kubectl for the specified Oracle Engine for Kubernetes (OKE) cluster
Universal Permissive License v1.0
11 stars 9 forks source link

Error: Cannot parse host from url when running configure-kubectl-oke-action (in CDG region) #13

Closed dario-vega closed 2 years ago

dario-vega commented 2 years ago

I am executing the following step in my workflow:

      - name: Configure Kubectl for Oracle Container Engine for Kubernetes (OKE)
        uses: oracle-actions/configure-kubectl-oke@v1.0
        id: configure-kubectl-oke-action
        with:
          cluster: ${{ secrets.OKE_CLUSTER_OCID }}

It is working when running inus-ashburn-1. Unfortunately, when running the same workflow using eu-paris-1 as the target region, I have the following error:

Error: Cannot parse host from URL

Can you help me with it?

Note: To validate that I have access from the public endpoint, I am testing the deployment using Cloud Shell

Djelibeybi commented 2 years ago

What value are you providing for OCI_CLI_REGION? I want to make sure I can reproduce this accurately. Note that this should be set to eu-paris-1 not your home region for this workflow.

dario-vega commented 2 years ago

Yes, the value for OCI_CLI_REGION is eu-paris-1

I am using the same values used to setup access to my Kubernetes cluster in Cloud Shell. 

oci ce cluster create-kubeconfig --cluster-id ocid1.cluster.oc1.eu-paris-1.aaaaa....a --file $HOME/.kube/config --region eu-paris-1 --token-version 2.0.0  --kube-endpoint PUBLIC_ENDPOINT
Djelibeybi commented 2 years ago

Can you share your GitHub Actions YAML file, perhaps? Just so I can get all the right things are configured to enable this to work. Once that's confirmed, we can look at your GitHub Secrets and how they're formatted.

dario-vega commented 2 years ago

Here is the full script - I have 2 clusters in 2 different regions. It is working in us-ashburn-1

name: Deploy Demo VoD in OCI

on:
  push:
    branches:
      - main
    paths:
      - 'demo-vod/*'
      - '.github/workflows/deploy-oke-oci-cli-demo-vod.yml'
  workflow_dispatch:

env:
  IMAGE_NAME: demo-vod-streaming-app

jobs:
  deploy-oci:
    name: Deploy VoD Demo in OCI
    #needs: push-build-image
    runs-on: ubuntu-latest
    environment: OCI    
    env:
      OCI_CLI_USER: ${{ secrets.OCI_CLI_USER }}
      OCI_CLI_TENANCY: ${{ secrets.OCI_CLI_TENANCY }}
      OCI_CLI_FINGERPRINT: ${{ secrets.OCI_CLI_FINGERPRINT }}
      OCI_CLI_KEY_CONTENT: ${{ secrets.OCI_CLI_KEY_CONTENT }}
      OCI_CLI_REGION: ${{ secrets.OCI_CLI_REGION }}
    steps:
      - uses: actions/checkout@v2

      - name: Retrieve the OCID of a named compartment in tenancy
        uses: oracle-actions/run-oci-cli-command@v1.0
        id: find-compartment-id
        with:
          command: 'iam compartment list --compartment-id-in-subtree=true'
          query: "data[?name=='davega'].id"

      - name: Set the ddl-table-name
        id: ddl-table-name
        run: |
          DDL_TABLE=$(cat demo-vod/demo-stream-acct.ddl)
          DDL_TABLE="${DDL_TABLE//$'\n'/' '}"
          DDL_TABLE="${DDL_TABLE//$'\r'/' '}"
          echo $DDL_TABLE
          echo "::set-output name=ddl-table-name::${DDL_TABLE,,}"

      - name: Set the ddl-limits
        id: table-limits
        run: |
          TABLE_LIMITS='{\"maxReadUnits\":50,\"maxStorageInGBs\":25,\"maxWriteUnits\": 50}'
          echo $TABLE_LIMITS
          echo "::set-output name=table-limits::${TABLE_LIMITS,,}"

      - name: Create NoSQL Table
        uses: oracle-actions/run-oci-cli-command@v1.0
        id: create-table
        with:
          command: 'nosql table create --compartment-id ${{ steps.find-compartment-id.outputs.raw_output }}  --name stream_acct --ddl-statement "${{ steps.ddl-table-name.outputs.ddl-table-name  }}" --table-limits "${{ steps.table-limits.outputs.table-limits  }}" --wait-for-state SUCCEEDED --wait-for-state FAILED'

      - name: Retrieve the display name and table limits of the NoSQL tables in my compartment
        uses: oracle-actions/run-oci-cli-command@v1.0
        id: find-tables
        with:
          command: 'nosql table list --compartment-id ${{ steps.find-compartment-id.outputs.raw_output }}'
          query: 'data.items[*].{name:name,tlimits:\"table-limits\"}'

      - name: List the display name and table limits of the NoSQL tables in my compartment
        run: |
          echo ${{ steps.find-tables.outputs.output }} | jq .

      - name: Configure Kubectl for Oracle Container Engine for Kubernetes (OKE)
        uses: oracle-actions/configure-kubectl-oke@v1.0
        id: configure-kubectl-oke-action
        with:
          cluster: ${{ secrets.OKE_CLUSTER_OCID }}        
      - name: Deploy oracle-app-ndcs-deployment and Get all resources
        run:  | 
          kubectl apply -f ./oracle-app-ndcs-deployment.yaml
          sleep 120
          kubectl get all
Djelibeybi commented 2 years ago

Does your cluster in Paris have a public endpoint? If not, GitHub won't be able to configure kubectl to connect to it.

dario-vega commented 2 years ago

Yes. and I tested using Cloud Shell. I opened the port 6443 too.

oci ce cluster create-kubeconfig --cluster-id ocid1.cluster.oc1.eu-paris-1.aaaaa....a --file $HOME/.kube/config --region eu-paris-1 --token-version 2.0.0
--kube-endpoint PUBLIC_ENDPOINT

Djelibeybi commented 2 years ago

Interesting. That command is essentially exactly what the action is running under the hood, so this is intriguing. Could you perhaps set the repo private and run the action with debug logging enabled? That would give us more insight, but may expose OCIDs if the repo is public.

Djelibeybi commented 2 years ago

Note that Cloud Shell can access clusters via their private IP and you shouldn't need to open any ports for the Kubernetes API if you have a public endpoint. It connects to the control plane which is managed by OCI, not you.

Djelibeybi commented 2 years ago

Can you please check oci ce cluster list --compartment-id <compartment_ocid> or oci ce cluster get --cluster-id <cluster_ocid> and check the endpoints stanza to make sure the public endpoint actually has a public IP address?

dario-vega commented 2 years ago 
   "endpoint-config": {
      "is-public-ip-enabled": true,
      "nsg-ids": [],
      "subnet-id": "ocid1.subnet.oc1.eu-paris-1.aaaaaaaaq7....eb6lu6t6watspa"
    },
    "endpoints": {
      "kubernetes": null,
      "private-endpoint": "10.0.0.111:6443",
      "public-endpoint": "141.xxx.xxx.255:6443",
      "vcn-hostname-endpoint": "cu......4a.sub09161125410.demoevents.oraclevcn.com:6443"
    },
dario-vega commented 2 years ago

My current repository is public. I don't have the option [Environments] in private repositories. When trying to run my current workflow in a private repository but it is normal

Error: The process '/home/runner/.local/bin/oci' failed with exit code 1
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Retrieve the OCID of a named compartment in tenancy

Do I need to change to use secrets instead of Environments?

Djelibeybi commented 2 years ago

You should be using Secrets regardless of whether you use environments or not. If you're using environments, you need to make sure you're retrieving the correct secrets for the workflow to complete successfully.

dario-vega commented 2 years ago

I am setting the variables, the workflow runs successfully if I use Ashburn. I will test with another non home region

Djelibeybi commented 2 years ago

Let me spin up some OKE clusters in a non-home region and see if I can reproduce the issue.