Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installed Tekton pipelines, triggers etc. into a new OKD 4.7 cluster. #1172

Closed
johnlongo opened this issue Aug 3, 2021 · 8 comments
Closed

Installed Tekton pipelines, triggers etc. into a new OKD 4.7 cluster. #1172

johnlongo opened this issue Aug 3, 2021 · 8 comments
Assignees
@khrm
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@johnlongo
Copy link

Installed the latest Tekton pipelines, triggers etc. into a new OKD 4.7 (4.7.0-0.okd-2021-07-03-190901) cluster using the following steps:
oc adm policy add-scc-to-user anyuid -z tekton-pipelines-controller
oc adm policy add-scc-to-user anyuid -z tekton-pipelines-webhook
oc apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.notags.yaml
oc apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/release.notags.yaml
oc apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.notags.yaml
oc apply --filename https://storage.googleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml

image

After that I defined a pipeline for one of my deployments and an event listener (see attached).
trigger-openshift-alertmanager-listener.txt

When the listener starts up if goes into a crash loop (see attached)
image

Please let me know how to fix this issue because I really would like to use Tekton but if I cant use a listener it's going to be a manual process to start the pipeline and I would like to avoid that if possible.

Thank you in advance for any help.
@johnlongo johnlongo added the kind/bug Categorizes issue or PR as related to a bug. label Aug 3, 2021
@khrm
Copy link
Contributor

khrm commented Aug 4, 2021

I think this is happening because we are setting security context for EventListener which isn't allowed in OpenShift (and probably in OKD also). We apply a patch in downstream to fix this. https://github.com/openshift/tektoncd-triggers/blob/master/openshift/patches/0001-Change-eventlistener-flag-default-value-to-false.patch

You can use this release.yaml to fix this issue: https://github.com/openshift/tektoncd-triggers/tree/release-v0.14.2/openshift/release

Or change value of el-default-security-context in controller spec. This value was missing and will be added in next release.

@khrm khrm mentioned this issue Aug 4, 2021
Merged
4 tasks
@johnlongo
Copy link
Author

Installed tekton again in a freshly restored cluster with the following, but still seeing the same issue:

oc new-project tekton-pipelines

oc adm policy add-scc-to-user anyuid -z tekton-pipelines-controller
oc adm policy add-scc-to-user anyuid -z tekton-pipelines-webhook

oc apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.notags.yaml
oc apply --filename /opt/tekton/tektoncd-triggers-v0.14.2.yaml
oc apply --filename /opt/tekton/tektoncd-triggers-interceptor-v0.14.2.yaml
oc apply --filename https://storage.googleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml

image

@khrm
Copy link
Contributor

khrm commented Aug 5, 2021
edited
Loading

Is there anything coming in log tab or terminal tab? Can you share those log?

@johnlongo
Copy link
Author

johnlongo commented Aug 5, 2021
edited by khrm
Loading 

{"level":"info","ts":"2021-08-05T12:20:16.715Z","caller":"logging/config.go:117","msg":"Logging level set to: info"}
{"level":"info","ts":"2021-08-05T12:20:16.715Z","caller":"logging/config.go:79","msg":"Fetch GitHub commit ID from kodata failed","error":"\"KO_DATA_PATH\" does not exist or is empty"}
{"level":"info","ts":"2021-08-05T12:20:16.715Z","logger":"eventlistener","caller":"logging/logging.go:46","msg":"Starting the Configuration eventlistener","knative.dev/controller":"eventlistener"}
{"level":"info","ts":"2021-08-05T12:20:16.715Z","logger":"eventlistener","caller":"profiling/server.go:64","msg":"Profiling enabled: false","knative.dev/controller":"eventlistener"}
{"level":"info","ts":"2021-08-05T12:20:16.773Z","logger":"eventlistener","caller":"eventlistenersink/main.go:107","msg":"Starting configuration manager...","knative.dev/controller":"eventlistener"}
{"level":"info","ts":"2021-08-05T12:20:16.789Z","logger":"eventlistener","caller":"metrics/metrics_worker.go:76","msg":"Flushing the existing exporter before setting up the new exporter.","knative.dev/controller":"eventlistener"}
{"level":"info","ts":"2021-08-05T12:20:16.790Z","logger":"eventlistener","caller":"metrics/prometheus_exporter.go:51","msg":"Created Prometheus exporter with config: &{tekton.dev/triggers eventlistener prometheus 5000000000 <nil> <nil>  false 9000 0.0.0.0 false   {   false}}. Start the server for Prometheus exporter.","knative.dev/controller":"eventlistener"}
{"level":"info","ts":"2021-08-05T12:20:16.790Z","logger":"eventlistener","caller":"metrics/metrics_worker.go:91","msg":"Successfully updated the metrics exporter; old config: <nil>; new config &{tekton.dev/triggers eventlistener prometheus 5000000000 <nil> <nil>  false 9000 0.0.0.0 false   {   false}}","knative.dev/controller":"eventlistener"}
{"level":"info","ts":"2021-08-05T12:20:16.874Z","logger":"eventlistener","caller":"eventlistenersink/main.go:118","msg":"EventListener pod started","knative.dev/controller":"eventlistener"}
{"level":"info","ts":1628166016.8856192,"logger":"fallback","caller":"injection/injection.go:61","msg":"Starting informers..."}
E0805 12:20:16.904455       1 reflector.go:127] github.com/tektoncd/triggers/pkg/client/informers/externalversions/factory.go:117: Failed to watch *v1alpha1.ClusterTriggerBinding: failed to list *v1alpha1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:openshift-alertmanager:default" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E0805 12:20:16.904603       1 reflector.go:127] github.com/tektoncd/triggers/pkg/client/informers/externalversions/factory.go:117: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:openshift-alertmanager:default" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E0805 12:20:18.063635       1 reflector.go:127] github.com/tektoncd/triggers/pkg/client/informers/externalversions/factory.go:117: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:openshift-alertmanager:default" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E0805 12:20:18.243929       1 reflector.go:127] github.com/tektoncd/triggers/pkg/client/informers/externalversions/factory.go:117: Failed to watch *v1alpha1.ClusterTriggerBinding: failed to list *v1alpha1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:openshift-alertmanager:default" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E0805 12:20:19.921878       1 reflector.go:127] github.com/tektoncd/triggers/pkg/client/informers/externalversions/factory.go:117: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:openshift-alertmanager:default" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E0805 12:20:20.009116       1 reflector.go:127] github.com/tektoncd/triggers/pkg/client/informers/externalversions/factory.go:117: Failed to watch *v1alpha1.ClusterTriggerBinding: failed to list *v1alpha1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:openshift-alertmanager:default" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E0805 12:20:24.094304       1 reflector.go:127] github.com/tektoncd/triggers/pkg/client/informers/externalversions/factory.go:117: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:openshift-alertmanager:default" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E0805 12:20:24.866497       1 reflector.go:127] github.com/tektoncd/triggers/pkg/client/informers/externalversions/factory.go:117: Failed to watch *v1alpha1.ClusterTriggerBinding: failed to list *v1alpha1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:openshift-alertmanager:default" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
{"level":"fatal","ts":"2021-08-05T12:20:25.846Z","logger":"eventlistener","caller":"eventlistenersink/main.go:171","msg":"failed to sync informer for: *v1alpha1.ClusterInterceptor","knative.dev/controller":"eventlistener","stacktrace":"main.main\n\t/go/src/github.com/tektoncd/triggers/cmd/eventlistenersink/main.go:171\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:203"}```

@khrm
Copy link
Contributor

khrm commented Aug 9, 2021

@johnlongo Can you share the yaml for EventListener and rbac? I think issue is with RBAC and serviceaccount. Some permissions are missing.

@johnlongo
Copy link
Author

johnlongo commented Aug 9, 2021
edited
Loading

Attached are the yaml files I'm using (note not allowed to upload yaml files, so I changed them to txt). Note I just updated my OKD cluster to the latest version: 4.7.0-0.okd-2021-08-07-063045

trigger-openshift-alertmanager-listener.txt

trigger-openshift-alertmanager-rbac..txt

@khrm
Copy link
Contributor

khrm commented Aug 11, 2021
edited
Loading

@johnlongo, Can you try rbac file I have attached? We need to follow EL roles(tekton-triggers-eventlistener-roles and tekton-triggers-eventlistener-clusterroles) given here.

trigger-openshift-alertmanager-rbac.txt

@johnlongo
Copy link
Author

I applied the cluster roles you supplied, then I added sa tekton-triggers-sa to the project and and added cluster roles tekton-triggers-eventlistener-roles and tekton-triggers-eventlistener-clusterroles to the new sa (tekton-triggers-sa) I created in the project. After that the listener started up without any issues (see attached). Thank you for all the help

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@khrm khrm

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@khrm @johnlongo