New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Install SealedSecrets from chart #58

Merged
merged 1 commit into from Feb 7, 2019

Conversation

Projects
None yet
3 participants
@ivanayov
Copy link
Member

ivanayov commented Jan 28, 2019

SealedSecrets are now installed with helm chart that is already
available

Signed-off-by: Ivana Yovcheva iyovcheva@vmware.com

Resolves #55

How Has This Been Tested?

WIP: needs implementing importing secrets

Checklist:

I have:

  • checked my changes follow the style of the existing code / OpenFaaS repos
  • updated the documentation and/or roadmap in README.md TODO
  • read the CONTRIBUTION guide
  • signed-off my commits with git commit -s
  • added unit tests N/A
Install SealedSecrets from chart
SealedSecrets are now installed with helm chart that is already
available

Signed-off-by: Ivana Yovcheva <iyovcheva@vmware.com>
release=$(curl -sI https://github.com/bitnami-labs/sealed-secrets/releases/latest | grep Location | awk -F"/" '{ printf "%s", $NF }' | tr -d '\r')
#release=$(curl --silent "https://api.github.com/repos/bitnami-labs/sealed-secrets/releases/latest" | sed -n 's/.*"tag_name": *"\([^"]*\)".*/\1/p')

echo "SealedSecrets release: $release"

kubectl create -f https://github.com/bitnami-labs/sealed-secrets/releases/download/$release/sealedsecret-crd.yaml
helm del --purge ofc-bootstrap

This comment has been minimized.

@alexellis

alexellis Jan 28, 2019

Member

Please remove and move this to reset.sh

This comment has been minimized.

@ivanayov

ivanayov Jan 30, 2019

Author Member

This is more a workaround than part of reset. I couldn't figure out the issue with helm, but it's failing with Error: a release named ofc-bootstrap (or whatever I put there) already exists. in a new cluster.

release=$(curl -sI https://github.com/bitnami-labs/sealed-secrets/releases/latest | grep Location | awk -F"/" '{ printf "%s", $NF }' | tr -d '\r')
#release=$(curl --silent "https://api.github.com/repos/bitnami-labs/sealed-secrets/releases/latest" | sed -n 's/.*"tag_name": *"\([^"]*\)".*/\1/p')

echo "SealedSecrets release: $release"

kubectl create -f https://github.com/bitnami-labs/sealed-secrets/releases/download/$release/sealedsecret-crd.yaml
helm del --purge ofc-bootstrap
kubectl delete customresourcedefinition sealedsecrets.bitnami.com

This comment has been minimized.

@alexellis

alexellis Jan 28, 2019

Member

Same comment

This comment has been minimized.

@ivanayov

ivanayov Jan 28, 2019

Author Member

If I move it there I'm having

2019/01/28 19:07:52 Error: a release named ofc-bootstrap already exists.
Run: helm ls --all ofc-bootstrap; to check the status of the release
Or run: helm del --purge ofc-bootstrap; to delete it

That's why I've put it right before. Not sure if it's some bug with helm. Works the same however I name it.

This comment has been minimized.

@alexellis

alexellis Jan 30, 2019

Member

@stefanprodan any thoughts why that would happen? (This really shouldn't need to be here.)

This comment has been minimized.

@alexellis

alexellis Jan 30, 2019

Member

Curious, if you run the delete (helm del --purge ofc-bootstrap), what does helm ls --all say after?

This comment has been minimized.

@alexellis

alexellis Jan 30, 2019

Member

Can it be about the CRD being left over? kubectl get crd?

This comment has been minimized.

@alexellis

alexellis Feb 5, 2019

Member

SGMT. @ivanayov can you alter the release from ofc-bootstrap to ofc-sealedsecrets as per Stefan's comment?

Let's add the removal of the CRD to the reset script, so that it is only run there deliberately and removal the reset code from the installation step. (it definitely doesn't belong there)

This comment has been minimized.

@ivanayov

ivanayov Feb 7, 2019

Author Member

@alexellis Moving to the reset script doesn't solve the problem. These are more a workaround than part of the cluster reset.

After reset with these delete commands, I do

$ ./scripts/create-tiller-sa.sh
$ ./scripts/create-tiller.sh 
$ ./scripts/install-sealedsecrets.sh 

and it fails with

SealedSecrets release: v0.7.0
Error: release ofc-sealedsecrets failed: clusterroles.rbac.authorization.k8s.io "secrets-unsealer" already exists

CRDs after ./scripts/reset.sh && ./scripts/create-tiller-sa.sh && ./scripts/create-tiller.sh:

$ kubectl get crd
NAME                                             CREATED AT
ciliumendpoints.cilium.io                        2019-02-07T10:06:49Z
ciliumnetworkpolicies.cilium.io                  2019-02-07T10:06:49Z
csidrivers.csi.storage.k8s.io                    2019-02-07T10:06:34Z
csinodeinfos.csi.storage.k8s.io                  2019-02-07T10:06:26Z
volumesnapshotclasses.snapshot.storage.k8s.io    2019-02-07T10:06:26Z
volumesnapshotcontents.snapshot.storage.k8s.io   2019-02-07T10:06:26Z
volumesnapshots.snapshot.storage.k8s.io          2019-02-07T10:06:26Z

and after ./scripts/install-sealedsecrets.sh :

$ kubectl get crd
NAME                                             CREATED AT
ciliumendpoints.cilium.io                        2019-02-07T10:06:49Z
ciliumnetworkpolicies.cilium.io                  2019-02-07T10:06:49Z
csidrivers.csi.storage.k8s.io                    2019-02-07T10:06:34Z
csinodeinfos.csi.storage.k8s.io                  2019-02-07T10:06:26Z
sealedsecrets.bitnami.com                        2019-02-07T13:05:54Z
volumesnapshotclasses.snapshot.storage.k8s.io    2019-02-07T10:06:26Z
volumesnapshotcontents.snapshot.storage.k8s.io   2019-02-07T10:06:26Z
volumesnapshots.snapshot.storage.k8s.io          2019-02-07T10:06:26Z

i.e. sealedsecrets.bitnami.com is being deleted and not causing the problem.

Somehow running helm install --namespace kube-system --name ofc-sealedsecrets stable/sealed-secrets is causing the role to be created twice:

$ ./scripts/create-tiller.sh 
$HELM_HOME has been configured at /Users/iyovcheva/.helm.

Tiller (the Helm server-side component) has been upgraded to the current version.
Happy Helming!
$ helm ls --all
Error: could not find a ready tiller pod
$ helm install --namespace kube-system --name ofc-sealedsecrets stable/sealed-secrets
Error: a release named ofc-sealedsecrets already exists.
Run: helm ls --all ofc-sealedsecrets; to check the status of the release
Or run: helm del --purge ofc-sealedsecrets; to delete it
$  helm ls --all ofc-sealedsecrets
NAME             	REVISION	UPDATED                 	STATUS	CHART               	NAMESPACE  
ofc-sealedsecrets	1       	Thu Feb  7 15:05:54 2019	FAILED	sealed-secrets-1.0.1	kube-system

This comment has been minimized.

@alexellis

alexellis Feb 7, 2019

Member

Thank you for looking into this.

If the only thing creating an error is the cluster role, do we just need to remove that in the reset script?

Alex

This comment has been minimized.

@alexellis

alexellis Feb 7, 2019

Member

Would it help putting sealed-secrets in its own namespace?

This comment has been minimized.

@alexellis

alexellis Feb 7, 2019

Member

I get this on kind:

[CustomResourceDefinition] sealedsecrets.bitnami.com

giving:

helm install --namespace kube-system --name ofc-bootstrap stable/sealed-secrets
Error: release ofc-bootstrap failed: customresourcedefinitions.apiextensions.k8s.io "sealedsecrets.bitnami.com" already exists

Then:

 kubectl delete crd/sealedsecrets.bitnami.com
customresourcedefinition.apiextensions.k8s.io "sealedsecrets.bitnami.com" deleted

That then lets me install again:

helm install --namespace kube-system --name ofc-bootstrap stable/sealed-secrets
NAME:   ofc-bootstrap
LAST DEPLOYED: Thu Feb  7 14:33:32 2019
NAMESPACE: kube-system
STATUS: DEPLOYED
@alexellis

This comment has been minimized.

Copy link
Member

alexellis commented Feb 7, 2019

@alexellis
Copy link
Member

alexellis left a comment

Approved

@alexellis alexellis merged commit 4c4e407 into openfaas-incubator:master Feb 7, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

ivanayov added a commit to ivanayov/ofc-bootstrap-1 that referenced this pull request Feb 7, 2019

Change sealed secrets version name
This is a follow-up of openfaas-incubator#58

Signed-off-by: Ivana Yovcheva <iyovcheva@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment