search

rcarrata / devsecops-demo

DevSecOps demo
Apache License 2.0
154 stars 140 forks source link

Few issues with OCP 4.11 #61

Closed slallemand closed 1 year ago

slallemand commented 2 years ago

Hello,

I tried to deploy this demo on a 4.11 OCP cluster.

Pre-requisites are installed : 

$ pip3 list | grep -e kubernetes -e openshift -e jmespath 
jmespath            1.0.1
kubernetes          24.2.0
openshift           0.13.1

$ ansible --version 
ansible [core 2.13.4]
  config file = None
  configured module search path = ['/Users/slallema/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/slallema/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.10.7 (main, Sep 14 2022, 22:38:23) [Clang 14.0.0 (clang-1400.0.29.102)]
  jinja version = 3.1.2
  libyaml = True

I have a first issue with the install.sh phase and the ocp4-post-acs task : 

TASK [ocp4-post-acs : Get the secret that contains the token of sa pipeline] ***************************************************************
ok: [localhost] => {"ansible_facts": {"token_sa_pipeline_secret": []}, "changed": false}

TASK [ocp4-post-acs : Get token in the secret for the sa pipeline and decode] **************************************************************
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: list object has no element 0\n\nThe error appears to be in '/Users/slallema/GIT/github.com/slallemand/devsecops-demo/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml': line 68, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Get token in the secret for the sa pipeline and decode\n  ^ here\n"}

PLAY RECAP *********************************************************************************************************************************
localhost                  : ok=70   changed=6    unreachable=0    failed=1    skipped=3    rescued=0    ignored=0

Anyway, i did try to start the pipeline with the ./demo.sh start but the pipeline is failing at the build-image task. I have those errors :

STEP-GEN-ENV-FILE

2022/10/05 13:03:28 warning: unsuccessful cred copy: ".docker" from "/tekton/creds" to "/": unable to create destination directory: mkdir /.docker: permission denied
UID uid=1001(1001) gid=0(root) groups=0(root),1000660000
Generated Env file
------------------------------
MAVEN_CLEAR_REPO=false
MAVEN_MIRROR_URL=http://nexus:8081/repository/maven-public/
------------------------------
STEP-GENERATE

2022/10/05 13:03:29 warning: unsuccessful cred copy: ".docker" from "/tekton/creds" to "/": unable to create destination directory: mkdir /.docker: permission denied
UID uid=1001(1001) gid=0(root) groups=0(root),1000660000 s2i build spring-petclinic/target image-registry.openshift-image-registry.svc:5000/openshift/java:11 --image-scripts-url image:///usr/local/s2i --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-params/env-file
STEP-BUILD

Error: error writing "0 0 4294967295\n" to /proc/29/uid_map: write /proc/29/uid_map: operation not permitted
level=error msg="error writing \"0 0 4294967295\\n\" to /proc/29/uid_map: write /proc/29/uid_map: operation not permitted"
level=error msg="(unable to determine exit status)"
STEP-PUSH-TAG

2022/10/05 13:03:31 Skipping step because a previous step failed
STEP-PUSH-LATEST

2022/10/05 13:03:32 Skipping step because a previous step failed

Could that be relative to the install error ? Any idea on that ?

slallemand commented 2 years ago

Quick update : I tried on a 4.9 cluster without any issue so really shoulb be relative to 4.11

rcarrata commented 2 years ago

hi @slallemand, 4.11 of OpenShift uses 1.24 version of k8s where several changes where introduced, such as the deprecation of PSP, and several major changes that affects also to this demo. Works like a charm in versions below 4.11. We'll fix asap this repo in order to make the demo work in all the versions.

Thanks for open the issue!

fduthilleul commented 1 year ago

@rcarrata Just tested on OCP 4.11 cluster provisioned by RHDP (Red Hat Demo Platform) and the install script fails at:

TASK [ocp4-post-acs : Get token in the secret for the sa pipeline and decode] *************************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: list object has no element 0\n\nThe error appears to be in '/Users/username/test-devsecops/devsecops-demo/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml': line 68, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Get token in the secret for the sa pipeline and decode\n  ^ here\n"}

Any idea ? There is no token_sa_pipeline_secret in the cicd namespace but only pipeline-token-xxxx

fiiray commented 1 year ago

Everything works on the current version of ARO... Thanks

Client Version: 4.12.1 Kustomize Version: v4.5.7 Server Version: 4.10.54 Kubernetes Version: v1.23.12+8a6bfe4

waynedovey commented 1 year ago

Any plans to fix this on OCP 4.11+?

rcarrata commented 1 year ago

I've tested in ARO 4.12 and also in OCP on-prem 4.13 and worked for me without issues. Can you please describe your problem @waynedovey?

rcarrata commented 1 year ago

fixed and tested with the latest 4.13. Grabbing the pipeline-token directly instead of the pipeline sa.

Closing this issue.