search

uselagoon / remote-controller

A group of controllers for handling Lagoon builds and tasks in Kubernetes or Openshift
5 stars 1 forks source link

lagoon-deployer ServiceAccount secret not created in Kubernetes 1.24 #151

Closed tobybellwood closed 1 year ago

tobybellwood commented 2 years ago

remote-controller is not compatible with Kubernetes 1.24 - don't try this at home

mostly for future reference, but remote-controller currently doesn't work in Kubernetes 1.24 - it has an issue with finding (or creating) the token secret for the lagoon-deployer ServiceAccount


 2022-07-21T05:42:07.824Z   INFO    controllers.HarborIntegration   Created robot account robot$nginx-example+main-954f2d24
2022-07-21T05:42:08.036Z    INFO    v1beta1.LagoonBuild Creating LagoonBuild in Pending status: lagoon-build-7m5zypx    {"lagoonbuild": "remote-controller-system/lagoon-build-7m5zypx"}
2022-07-21T05:42:08.054Z    INFO    v1beta1.LagoonBuild Currently 0 running builds, room for 3 builds to be started {"lagoonbuild": "nginx-example-main/lagoon-build-7m5zypx"}
2022-07-21T05:42:08.060Z    INFO    v1beta1.LagoonBuild Checking and preparing namespace and associated resources for build: lagoon-build-7m5zypx   {"lagoonbuild": "nginx-example-main/lagoon-build-7m5zypx"}
2022-07-21T05:42:08.063Z    ERROR   controller-runtime.manager.controller.lagoonbuild   Reconciler error    {"reconciler group": "crd.lagoon.sh", "reconciler kind": "LagoonBuild", "name": "lagoon-build-7m5zypx", "namespace": "nginx-example-main", "error": "Could not find token secret for ServiceAccount lagoon-deployer"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
    /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.9.6/pkg/internal/controller/controller.go:253
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
    /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.9.6/pkg/internal/controller/controller.go:214
2022-07-21T05:42:08.068Z    INFO    v1beta1.LagoonBuild Checking and preparing namespace and associated resources for build: lagoon-build-7m5zypx   {"lagoonbuild": "nginx-example-main/lagoon-build-7m5zypx"}
shreddedbacon commented 2 years ago

Seems related to this change with service accounts https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets

It looks like the token is no longer generated automatically and a TokenRequest is required now. We can still generate a long lived token if we need to, but maybe it is a good time to re-evaluate the deployer token into a short lived token only there for the duration of the build (or tasks) that need it.