Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[dev-v2.9] Update Rancher-monitoring jobs.yaml for error handling #3606

Open
wants to merge 1 commit into
base: dev-v2.9
Choose a base branch
from
Open

[dev-v2.9] Update Rancher-monitoring jobs.yaml for error handling #3606

wants to merge 1 commit into from

Conversation

dfaltum
Copy link

@dfaltum dfaltum commented Mar 11, 2024

Problem

My problem is that the following line gets an error if the RBAC of the system:serviceaccount:cattle-monitoring-system:rancher-monitoring-crd-manager SA is incorrect:

kubectl replace -Rf /etc/crd || kubectl create -Rf /etc/crd;

The reason for this is that kubectl replace fails with an error code, but kubectl create can't succeed either:

Error from server (Forbidden): error when replacing "/etc/crd/charts/crds/crd-alertmanagerconfigs.yaml": customresourcedefinitions.apiextensions.k8s.io "alertmanagerconfigs.monitoring.coreos.com" is forbidden: User "system:serviceaccount:cattle-monitoring-system:rancher-monitoring-crd-manager" cannot update resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
Error from server (AlreadyExists): error when creating "/etc/crd/charts/crds/crd-alertmanagerconfigs.yaml": customresourcedefinitions.apiextensions.k8s.io "alertmanagerconfigs.monitoring.coreos.com" already exists

In the earlier chart versions, the SA didn't have recreate permission. So in this scenario, the helm upgrade succeeds, but you still have the old CRDs.

Solution

I think the simplest solution is to create another OR condition. With this trick, the pod will fail and the helm upgrade will fail as well.
Another good approach might be something like this for checking permissions:

for verb in 'create' 'get' 'patch' 'delete' 'replace'; do kubectl auth can-i --as system:serviceaccount:cattle-monitoring-system:rancher-monitoring-crd-manager $verb crd || exit 255; done

@github-actions GitHub Actions
Copy link

Validation steps

  • Ensure all container images have repository and tag on the same level to ensure that all container images are included in rancher-images.txt which are used by airgap customers.
  Ex:-
    longhorn-controller:
      repository: rancher/hardened-sriov-cni
      tag: v2.6.3-build20230913
  • Add a 👍 (thumbs up) reaction to this comment once done. CI won't pass without this reaction to the github-action bot's latest validation comment.
  • Approve the PR to run the CI check.

@lucasmlp lucasmlp changed the title Update Rancher-monitoring jobs.yaml for error handling [dev-v2.9] Update Rancher-monitoring jobs.yaml for error handling Mar 15, 2024
@dfaltum dfaltum mentioned this pull request Apr 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dfaltum