-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
imagePullSecrets not found? #306
Comments
hi, do you see any other logs (before this line) with info/error level that mention secrets? |
I am embarrassed to say that although the default service account has the correct image pull secrets, the pod itself also specified them, and it contained a typo. Apologies for the confusion! (And I'm really digging Keel, by the way.) |
Ah no, that was a different issue. This one is alive and well, I'm afraid. So, to your question, here is a larger section of the log:
|
There should have been some logs where it's setting up the watcher, right after keel detects that deployment. If you restart keel, it should print out some logs about the missing secret. |
Ah, here are the first logs:
The deployment itself, however, has different image pull secrets:
The deployment has changed since keel was started. So I restarted keel to see what would happen. The new logs do not have the same error about the secret, but still cannot pull the image:
|
According to this |
Yes and no. It is defined in the default service agent. But if you look at the effective deployment manifest (see my previous message, halfway in the text), the image pull secrets are there. |
Could you show the full manifests? feel free to remove anything sensitive, just want to look at the structure. This is the code that gets imagePullSecrets https://github.com/keel-hq/keel/blob/master/internal/k8s/resource.go#L249-L261, maybe needs refreshing :) |
Aha, I inspected the pod, not the deployment. Apparently, if you depend on the service account to inject the image pull secrets, they are injected into the pod, but not the deployment! What do you think: do you expect Keel to support this use-case? |
so they don't appear in the deployment? This might have changed then, as I was testing this feature with deployments and not pods when I was developing it :/ |
Indeed, they do not appear in the deployment:
And the pod has:
|
okay, thanks :) I think we have enough info to debug this further. I have added today some initial e2e tests, will be quite easy to add one and start testing. I suspect that this happened recently with the change from extensions to apps for the deployments. |
Thanks, @rusenask! Happy to give you more work... ;-) |
I think I'm bumping into a similar issue:
In my case, I just add the credentials to all deployments but they aren't needed for this particular container or the pod in general (credentials are for a private registry and the container is simply on docker hub). Should this scenario be supported? It seems like since pull secrets are not container specific within a pod this should be gracefully accounted for? On a related note, since the labels are applied at the deployment level, does keel watch all containers in the deployment and apply the same policy/etc? |
Hi, image pull secrets do get added to the pod spec, it just appears that when queried from a "higher level" via deployments, they do not appear any more there. I will fix this when I get a chance, maybe this weekend, currently too occupied with my main work :)
No, all deployments/daemonsets/statefulsets are just a constructs that manage pod specs, we don't really care about them since if we update that deployment workload, k8s will update individual pods. |
@rusenask in my case (1.11 installed via rke) the secrets are in the deployment. Any other info I can provide to help or should my case be a separate issue altogether? |
yeah, maybe a bit more info on how you define them would be helpful and in another issue :) |
Have an absolute similar issue with Gitlab registry, chart 0.7.2, keel 0.12.0 |
@Antiarchitect did it work before? |
Added e2e test with private registry, besides a problem where it wouldn't like passwords that contain ":", couldn't find anything. Please provide your k8s secret format, I was creating with a kubectl command:
And also through the client-go. I imagine that it doesn't process some secret format. Also, added some more logging to help find the problem. Please try out |
In yaml it looks like
Inside:
|
Still no luck with 0.13.0-rc2 |
I am out of town for a few days, on a workshop with a client till tomorrow evening. What command are you using to create the secret? I need to replicate it but I suspect that my secret is in the same format as you have. End-to-end for private registry is here https://github.com/keel-hq/keel/blob/master/tests/acceptance_polling_test.go#L168-L307. Secret create code is here: https://github.com/keel-hq/keel/blob/master/tests/acceptance_polling_test.go#L227-L240 Also, logs would be useful as I have added a bit more info to the logs. |
|
thanks @Antiarchitect, with your secret on gitlab registry I am getting the same error, digging in :| |
@Antiarchitect could you please provide a sample deployment.yaml manifest that I could use to replicate this? Unfortunately the gitlab test did work for me, I have added and e2e test for the private gitlab repo as well.
|
|
ah, looks a lot like a helm chart :) @jcassee are you also using helm? I haven't tried using helm with secrets. It might be something to do with how we get pods that are managed by helm. Can someone who's getting this error enable debugging for Keel? Set in the deployment manifest:
For helm provider we should start seeing these errors: https://github.com/keel-hq/keel/blob/master/secrets/secrets.go#L104-L128. I am still finishing up other PR but once I am done with it I hope I have enough info to fix this one. |
I turn helm off in keel settings. |
It might have been due to slightly different registry name and secret name (can be scheme, port, path). I have improved matching, please try out |
@rusenask 0.13.0-rc3 does not solve the problem for me. I still see these logs:
|
Hi guys, sorry for the lack of activity but I have been quite busy with my regular job :) Alright, what I really need in this scenario is:
From the e2e tests I couldn't replicate it with my own images. There are multiple ways how to create secrets in k8s and their formats, same goes with service accounts. If I could replicate it, I am sure I could fix it too. |
We had a bunch of similar issues, there were changes to secret management since then, closing this. |
I just installed Keel on a Kubernetes 1.12 cluster on DigitalOcean using the provided resources. I have created a deployment with an image from a private Docker Hub repository. The default service account has the correct image pull secrets; the image gets pulled and the pods are started. (
imagePullSecrets
is set in the pod.)However, I still see this in the Keel logs over and over again:
So it seems Keel does not pick up the
imagePullSecrets
correctly?Anything I can do to debug the problem further?
The text was updated successfully, but these errors were encountered: