Skip to content
This repository has been archived by the owner on Jan 8, 2024. It is now read-only.

Setting the k8s runner install odr service account. #3894

Merged
merged 2 commits into from
Sep 16, 2022

Conversation

izaaklauer
Copy link
Contributor

@izaaklauer izaaklauer commented Sep 16, 2022

Helm creates a service account, but we don't use it unless it's specified in the runner profile. Otherwise, you get an error like this:

$ wp up -workspace=dev
There are local changes that do not match the remote repository. By default,
Waypoint will perform this operation using a remote runner that will use the
remote repository’s git ref and not these local changes. For these changes
to be used for future operations, either commit and push, or run the operation
locally with the -local flag.

» Operation is queued waiting for job "01GD3CJWM5ABKYZ9YRH0VMCNCZ". Waiting for runner assignment...
  If you interrupt this command, the job will still run in the background.
  Performing operation on "kubernetes" with runner profile "kubernetes-DEV"

» Cloning data from Git
  URL: https://github.com/hashicorp/waypoint-examples
  Ref: go-multicluster

» Downloading from Git
  Git Commit: 741ce4489f554981e15fcc703ffd4b8cde5b93de
   Timestamp: 1970-01-01 00:00:00 +0000 UTC
     Message:✓ All services available.

... <truncated for brevity> ...

✓ Set ECR Repository name to 'acmecorp'

» Deploying backend...
✓ Running deploy v2
✓ Kubernetes client connected to https://10.100.0.1:443 with namespace default
❌ Preparing deployment...
✓ Kubernetes client connected to https://10.100.0.1:443 with namespace default
❌ Deleting deployment...
! 2 errors occurred:
  	* deployments.apps "backend-v2" is forbidden: User
  "system:serviceaccount:default:default" cannot get resource "deployments" in API
  group "apps" in the namespace "default"
  	* Error during rollback: resource name may not be empty

The default service account doesn't have permissions (like list deployments) that the ODR needs for deploy ops.

Workaround

You can get around this by editing the runner profile and specifying your own k8s tasklauncher config. Create a file like this:

cat /tmp/k8s-plugin-config.hcl

image_pull_policy = "Always"
namespace = "default"
service_account = "waypoint-runner-odr"

And then apply it to your runner profile:

waypoint runner profile set -name=<your runner profile name> -plugin-type=kubernetes -plugin-config=/tmp/k8s-plugin-config.hcl

You can run waypoint runner profile inspect <your profile name> to see your current plugin config, in case you want to preserve any of those settings.

Copy link
Contributor

@paladin-devops paladin-devops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐕‍🦺

Helm creates a service account, but we don't use it unless it's specified in the runner profile. Otherwise, you get an error like this:

```
$ wp up -workspace=dev
There are local changes that do not match the remote repository. By default,
Waypoint will perform this operation using a remote runner that will use the
remote repository’s git ref and not these local changes. For these changes
to be used for future operations, either commit and push, or run the operation
locally with the -local flag.

» Operation is queued waiting for job "01GD3CJWM5ABKYZ9YRH0VMCNCZ". Waiting for runner assignment...
  If you interrupt this command, the job will still run in the background.
  Performing operation on "kubernetes" with runner profile "kubernetes-DEV"

» Cloning data from Git
  URL: https://github.com/hashicorp/waypoint-examples
  Ref: go-multicluster

» Downloading from Git
  Git Commit: 741ce4489f554981e15fcc703ffd4b8cde5b93de
   Timestamp: 1970-01-01 00:00:00 +0000 UTC
     Message:✓ All services available.

... <truncated for brevity> ...

✓ Set ECR Repository name to 'acmecorp'

» Deploying backend...
✓ Running deploy v2
✓ Kubernetes client connected to https://10.100.0.1:443 with namespace default
❌ Preparing deployment...
✓ Kubernetes client connected to https://10.100.0.1:443 with namespace default
❌ Deleting deployment...
! 2 errors occurred:
  	* deployments.apps "backend-v2" is forbidden: User
  "system:serviceaccount:default:default" cannot get resource "deployments" in API
  group "apps" in the namespace "default"
  	* Error during rollback: resource name may not be empty
```

The default service account doesn't have permissions (like list deployments) that the ODR needs for deploy ops.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants