Watcher-to-API server insecure connection not working

[bilalbokharee]

Expected Behavior

After setting -auth_mode to insecure in watcher deployment, watcher communicates with API server with no auth required.

containers:
        - args:
            - -api_addr
            - tekton-results-api-service.tekton-pipelines.svc.cluster.local:8080
            - -auth_mode
            - insecure

Actual Behavior

After insecure is set, watcher pod stays in ContainerCreating state, with error message MountVolume.SetUp failed for volume "tls" : secret "tekton-results-tls" not found

Once set to insecure, there is no need for container to get stuck in ContainerCreating, waiting for this volume to mount. It should be bypassed, allowing watcher to poll API server without auth required.

This is based on results v0.8.0

[khrm]

@bilalbokharee I think you need to modify watcher deployment to use insecure mode.
From the release manifest, please remove volume and volumemounts for watcher related to tls while using insecure mode, is it working then?

[bilalbokharee]

@khrm Thanks for the response

I see this error in API server pod after removing volume and volumeMount from watcher deployment

http: TLS handshake error from 100.111.90.29:59006: tls: first record does not look like a TLS handshake

[drGrove]

You also need to remove volume and volumeMounts for api related to TLS. Otherwise the grpc server is instantiated in secure mode and expects a secure client

[adambkaplan]

You could create a kustomize overlay that adds the grpc insecure arguments and removes the TLS volume mounts. I would be reluctant to include that in any kind of release manifest.