search

outscale / cluster-api-provider-outscale

BSD 3-Clause "New" or "Revised" License
4 stars 11 forks source link

[Bug]: 401 Unauthorized Can not create net for Osccluster default/test #177

Closed pierreozoux closed 1 year ago

pierreozoux commented 1 year ago

What happened

Hi!

I'm trying my first attempt with, and don't have experience with:

Bear with me, I guess it is more a documentation issue than a bug on your side.

Trying to follow: https://github.com/outscale-dev/cluster-api-provider-outscale/blob/0a72fd45cbe3dfbd2b08fc2b10efd465acd92125/docs/src/topics/get-started-with-clusterctl.md At the moment, I have a token, which I think has enough access, but probably somehow, not.

I have this:

kubectl get cluster-api  -A
NAMESPACE   NAME                                                         AGE
default     kubeadmconfigtemplate.bootstrap.cluster.x-k8s.io/test-md-0   101m

NAMESPACE   NAME                                           CLUSTER   REPLICAS   READY   UPDATED   UNAVAILABLE   PHASE   AGE    VERSION
default     machinedeployment.cluster.x-k8s.io/test-md-0   test                                                         101m   v1.22.11

NAMESPACE   NAME                            PHASE          AGE    VERSION
default     cluster.cluster.x-k8s.io/test   Provisioning   101m   

NAMESPACE                              NAME                                                           AGE    TYPE                     PROVIDER      VERSION
capi-kubeadm-bootstrap-system          provider.clusterctl.cluster.x-k8s.io/bootstrap-kubeadm         157m   BootstrapProvider        kubeadm       v1.2.5
capi-kubeadm-control-plane-system      provider.clusterctl.cluster.x-k8s.io/control-plane-kubeadm     157m   ControlPlaneProvider     kubeadm       v1.2.5
capi-system                            provider.clusterctl.cluster.x-k8s.io/cluster-api               157m   CoreProvider             cluster-api   v1.2.5
cluster-api-provider-outscale-system   provider.clusterctl.cluster.x-k8s.io/infrastructure-outscale   157m   InfrastructureProvider   outscale      v0.1.1

NAMESPACE   NAME                                                                   CLUSTER   INITIALIZED   API SERVER AVAILABLE   REPLICAS   READY   UPDATED   UNAVAILABLE   AGE    VERSION
default     kubeadmcontrolplane.controlplane.cluster.x-k8s.io/test-control-plane   test

And looking at the logs, it seems, I'm not able to create network.

Step to reproduce

Followed getting started.

Expected to happen

Have a running cluster

Add anything

I'm on cloudgouv.

cluster-api output

1.6685256666635454e+09 DEBUG controller-runtime.webhook.webhooks received request {"webhook": "/validate-infrastructure-cluster-x-k8s-io-v1beta1-osccluster", "UID": "xx", "kind": "infrastructure.cluster.x-k8s.io/v1beta1, Kind=OscCluster", "resource": {"group":"infrastructure.cluster.x-k8s.io","version":"v1beta1","resource":"oscclusters"}} 1.6685256666640975e+09 INFO osccluster-resource validate update {"name": "test"} 1.668525666664218e+09 INFO osccluster-resource validate update old loadBalanceName {"loadBalanceName": "test-k8s"} 1.6685256666643326e+09 INFO osccluster-resource validate update old loadBalanceName {"loadBalanceName": "test-k8s"} 1.668525666664512e+09 DEBUG controller-runtime.webhook.webhooks wrote response {"webhook": "/validate-infrastructure-cluster-x-k8s-io-v1beta1-osccluster", "code": 200, "reason": "", "UID": "xx", "allowed": true} 1.668525666668407e+09 DEBUG Cluster for OscCluster not found, skipping mapping. {"objectMapper": "oscClusterToOscMachine", "namespace": "default", "oscCluster": "test"} 1.6685256666708996e+09 INFO controller.osccluster Create loadBalancer {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default", "loadBalancerName": "test-k8s"} 1.6685256666709535e+09 INFO controller.osccluster Reconcile OscCluster {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256667176352e+09 DEBUG controller-runtime.webhook.webhooks received request {"webhook": "/validate-infrastructure-cluster-x-k8s-io-v1beta1-osccluster", "UID": "xx", "kind": "infrastructure.cluster.x-k8s.io/v1beta1, Kind=OscCluster", "resource": {"group":"infrastructure.cluster.x-k8s.io","version":"v1beta1","resource":"oscclusters"}} 1.6685256667514713e+09 INFO osccluster-resource validate update {"name": "test"} 1.6685256667582443e+09 INFO osccluster-resource validate update old loadBalanceName {"loadBalanceName": "test-k8s"} 1.6685256667584748e+09 INFO osccluster-resource validate update old loadBalanceName {"loadBalanceName": "test-k8s"} 1.6685256667586048e+09 DEBUG controller-runtime.webhook.webhooks wrote response {"webhook": "/validate-infrastructure-cluster-x-k8s-io-v1beta1-osccluster", "code": 200, "reason": "", "UID": "xx", "allowed": true} 1.668525666779508e+09 INFO controller.osccluster Check Net name parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256667814357e+09 INFO controller.osccluster Check Net IpRange parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256667822628e+09 INFO controller.osccluster Check subnet name parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.668525666782798e+09 INFO controller.osccluster Check Subnet IpsubnetRange parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256667833855e+09 INFO controller.osccluster Check Subnet IpsubnetRange parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256667860775e+09 INFO controller.osccluster Check Subnet IpsubnetRange parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.668525666788036e+09 INFO controller.osccluster Check Subnet IpsubnetRange parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256667913086e+09 INFO controller.osccluster Check Internet Service parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256667920208e+09 INFO controller.osccluster Check Public Ip parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256667927682e+09 INFO controller.osccluster Check Nat name parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.668525666815625e+09 INFO controller.osccluster Check Route table parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668257895e+09 INFO controller.osccluster Check security group parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668346226e+09 INFO controller.osccluster Check Route parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.66852566683543e+09 INFO controller.osccluster Check route destination IpRange parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668364851e+09 INFO controller.osccluster Check route destination IpRange parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668373363e+09 INFO controller.osccluster Check route destination IpRange parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668380733e+09 INFO controller.osccluster Check route destination IpRange parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668382602e+09 INFO controller.osccluster Check security Group rule parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668812041e+09 INFO controller.osccluster Check LoadBalancer name parameters {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668815877e+09 INFO controller.osccluster check unique routetable {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668817103e+09 INFO controller.osccluster check unique security group rule {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.668525666881726e+09 INFO controller.osccluster check unique route {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.668525666881734e+09 INFO controller.osccluster check unique security group rule {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668817422e+09 INFO controller.osccluster Check unique name publicIp {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668818374e+09 INFO controller.osccluster Check unique subnet {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668818455e+09 INFO controller.osccluster check match public ip with nat service {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668818552e+09 INFO controller.osccluster check match subnet with route table service {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668818634e+09 INFO controller.osccluster check match subnet with nat service {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668818722e+09 INFO controller.osccluster check match subnet with loadBalancer {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668818808e+09 INFO controller.osccluster check match securityGroup with loadBalancer {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668819072e+09 INFO controller.osccluster Set OscCluster status to not ready {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668819168e+09 INFO controller.osccluster Create Net {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default"} 1.6685256668819258e+09 INFO controller.osccluster Create the desired net {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default", "netName": "test-net-xx"} 2022/11/15 15:21:06 POST /api/v1/CreateNet HTTP/1.1 Host: api.cloudgouv-eu-west-1.outscale.com User-Agent: cluster-api-provider-outscale/v0.1.1 Content-Length: 26 Accept: application/json Authorization: xx SignedHeaders=accept;content-type;host;x-amz-date, Signature=xx Content-Type: application/json X-Amz-Date: 20221115T152106Z Accept-Encoding: gzip

{"IpRange":"10.0.0.0/24"}

2022/11/15 15:21:07 HTTP/1.1 401 Unauthorized Content-Length: 131 Access-Control-Allow-Origin: * Content-Type: application/json Date: Tue, 15 Nov 2022 15:21:07 GMT Server: api-gw/0

{"Errors":[{"Type":"AccessDenied","Details":"","Code":"4"}],"ResponseContext":{"RequestId":"x"}} xx ERROR controller.osccluster failed to reconcile net {"reconciler group": "infrastructure.cluster.x-k8s.io", "reconciler kind": "OscCluster", "name": "test", "namespace": "default", "error": "401 Unauthorized Can not create net for Osccluster default/test"} github.com/outscale-dev/cluster-api-provider-outscale.git/controllers.(OscClusterReconciler).Reconcile /workspace/controllers/osccluster_controller.go:150 sigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).Reconcile /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:114 sigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).reconcileHandler /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:311 sigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).processNextWorkItem /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:266 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2 /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:227

Environment

- Kubernetes version: (use `kubectl version`): 1.22.11
- OS (e.g. from `/etc/os-release`): Not relevant
- Kernel (e.g. `uname -a`): Not relevant
- cluster-api-provider-outscale version: latest
- cluster-api version: Not relevant
- Install tools: Not relevant
- Kubernetes Distribution: Not relevant
- Kubernetes Diestribution version: Not relevant
ghost commented 1 year ago

Hi @pierreozoux Thanks for reaching us. Have you done this with your AK/SK ?

export OSC_ACCESS_KEY=<AK>
export OSC_SECRET_KEY=<SK>
export OSC_REGION=<REGION>
make credential

You will get:

[root@cidev-admin cluster-api-provider-outscale]# kubectl get secret -A
NAMESPACE NAME TYPE DATA AGE
cluster-api-provider-outscale-system cluster-api-provider-outscale Opaque 3 12h

Also, as you are on gouvcloud platform, be aware that Api Access Rules may block cluster-api to perform API calls due to its source IP.

Furthermore, Images for cluster-api are only available on eu-west-2 for now. Following your issue, we are working on pushing Images on cloudgouv as soon as possible . Other regions will be available after.

pierreozoux commented 1 year ago

Thanks for your answer, and thanks for the OMI (I had some doubts actually :sweat_smile: ) , I'll ask my PM about this Api Access Rules, I'll try to create a VM in outscale and try the same procedure, once the images are available.

pierreozoux commented 1 year ago

Ok, so I tried from an outscale VM, to use outscale network, instead of my home, but still the same error, I'll check with my PM.

ghost commented 1 year ago

Hi @pierreozoux Thanks for reaching us.

New Images for cluster-api are now available for cloudgov (https://cluster-api-outscale.oos-website.eu-west-2.outscale.com/topics/omi.html):

ubuntu-2004-2004-kubernetes-v1.22.11-2022-11-23 ubuntu-2004-2004-kubernetes-v1.23.8-2022-11-23

When you launch clusterctl, please make sure to have the latest release of cluster-api-provider-outscale (v0.1.4):

root@kubemaster:/home/outscale# kubectl get providers -A
NAMESPACE                              NAME                      AGE    TYPE                     PROVIDER      VERSION
capi-kubeadm-bootstrap-system          bootstrap-kubeadm         2d4h   BootstrapProvider        kubeadm       v1.3.0
capi-kubeadm-control-plane-system      control-plane-kubeadm     2d4h   ControlPlaneProvider     kubeadm       v1.3.0
capi-system                            cluster-api               2d4h   CoreProvider             cluster-api   v1.3.0
cluster-api-provider-outscale-system   infrastructure-outscale   2d4h   InfrastructureProvider   outscale      v0.1.4

Let us know if you have any other issue.

pierreozoux commented 1 year ago

Bonjour,

J'ai autorisé les IPs, et je peux en effet bien utiliser l'API outscale. Et ja'i aussi réussi à démarrer le cluster outscale grace aux images fraichement cuisinées.

Merci pour tout!

(Reste à autoriser l'api usr l'EIP de sortie de ce nouveau cluster pour que ccm puisse fonctionner, mais c'est une autre histoire)

Une bonne journée!