search

submariner-io / submariner-charts

Helm charts to deploy the various Submariner components.
Apache License 2.0
17 stars 27 forks source link

Make Shipyard Helm deploy scripts work with K8s 1.24 #236

Closed dfarrell07 closed 2 years ago

dfarrell07 commented 2 years ago

There seems to be an issue with the Shipyard scripts that deploy Helm on K8s 1.24. 

[cluster1] Installing Submariner...
[16:28:33.529] [shipyard]$ [cluster1] helm --kube-context cluster1 install submariner-operator submariner-latest/submariner-operator --create-namespace --namespace submariner-operator --set ipsec.psk=lWWBU8Qe7sTBCUtmiGj06gdvvsGpmuJkUccILJvfhveWoiOAoJcBy6KSu1NXOcHc --set broker.server=172.18.0.6:6443 --set broker.token= --set broker.namespace=submariner-k8s-broker --set broker.ca= --set broker.globalnet=false --set submariner.serviceDiscovery=false --set submariner.cableDriver=libreswan --set submariner.clusterId=cluster1 --set submariner.clusterCidr=10.1.0.0/16 --set submariner.serviceCidr=100.1.0.0/16 --set submariner.globalCidr= --set serviceAccounts.globalnet.create=false --set serviceAccounts.lighthouseAgent.create=false --set serviceAccounts.lighthouseCoreDns.create=false --set submariner.natEnabled=false --set operator.image.repository=localhost:5000/submariner-operator --set operator.image.tag=local --set operator.image.pullPolicy=IfNotPresent --set submariner.images.repository=localhost:5000 --set submariner.images.tag=local --set brokercrds.create=false
[cluster1] Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: error validating "": error validating data: [ValidationError(Submariner.spec): missing required field "brokerK8sApiServerToken" in io.submariner.v1alpha1.Submariner.spec, ValidationError(Submariner.spec): missing required field "brokerK8sCA" in io.submariner.v1alpha1.Submariner.spec]

The main errors being missing required field "brokerK8sApiServerToken" and missing required field "brokerK8sCA". Note that --set broker.ca= and set broker.token= are null.

They are derived here:

    submariner_broker_ca=$(kubectl -n "${BROKER_NAMESPACE}" get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='${BROKER_CLIENT_SA}')].data['ca\.crt']}")
    submariner_broker_token=$(kubectl -n "${BROKER_NAMESPACE}" get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='${BROKER_CLIENT_SA}')].data.token}"|base64 --decode)

I suspect the issue is related to the Secret/Token changes in K8s 1.24 that we've been adjusting to elsewhere.

skitt commented 2 years ago

You’re right, this is happening because the SAs aren’t getting secrets.

skitt commented 2 years ago

This isn’t caused by the Shipyard deployment scripts, but by the charts themselves; they need to create secrets in addition to SAs.