search

vmware-tanzu-labs / educates-training-platform

A platform for hosting interactive workshop environments in Kubernetes, or on top of a local container runtime.
https://docs.educates.dev
Apache License 2.0
74 stars 20 forks source link

Virtual clusters not given CA. #505

Open GrahamDumpleton opened 3 months ago

GrahamDumpleton commented 3 months ago

Describe the bug

Observed this when using virtual clusters created using helm charts rather than builtin virtual cluster support, but expect later will have same issue.

When using your CA so can have self signed certificates, the CA isn't injected into the virtual cluster control plane so might be issue if is required.

Believe this is the case as see the error:

12:38:17AM: ongoing: reconcile deployment/lookup-service-poc (apps/v1) namespace: educates-platform
12:38:17AM:  ^ Waiting for 1 unavailable replicas
12:38:17AM:  L ok: waiting on replicaset/lookup-service-poc-5c7b4d9759 (apps/v1) namespace: educates-platform
12:38:17AM:  L ongoing: waiting on pod/lookup-service-poc-5c7b4d9759-plvqj (v1) namespace: educates-platform
12:38:17AM:     ^ Pending: ErrImagePull (message: failed to pull and unpack image "registry-educates-cli-w03-s001.educates-local-dev.test/lab-platform-operator/lookup-service-poc:latest": failed to resolve reference "registry-educates-cli-w03-s001.educates-local-dev.test/lab-platform-operator/lookup-service-poc:latest": failed to do request: Head "https://registry-educates-cli-w03-s001.educates-local-dev.test/v2/lab-platform-operator/lookup-service-poc/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority)

when trying to deploy to the virtual cluster an image built in the workshop session and pushed to the per session image registry.

Additional information

No response

jorgemoralespou commented 3 months ago

When creating an issue like this would be good to have a reproducer of the steps and workshop definition :-P

I don't think this should be any different than running any other image built and pushed to the per-session registry, as this log, ErrImgPull should be that containerd on the host can not pull down the image from that registry. The reproducer could probably help to investigate whether this is a regression on 3.0.0 (if you were already using that) or if it has always existed. Remember than in 3.0 we have changed how containerd is configured on the host, so maybe something broke there.