| *** avolkov has quit IRC | 00:03 | |
| openstackgerrit | Kostyantyn Kalynovskyi proposed airship/airshipctl master: adding abstraction to git repositories https://review.opendev.org/698120 | 00:26 |
|---|---|---|
| *** georgk72 has joined #airshipit | 00:36 | |
| *** georgk7 has quit IRC | 00:36 | |
| *** rezroo has joined #airshipit | 00:48 | |
| *** jamesgu has joined #airshipit | 03:26 | |
| *** rihabb25 has quit IRC | 03:37 | |
| *** georgk72 has quit IRC | 03:37 | |
| *** rihabb25 has joined #airshipit | 03:38 | |
| *** georgk72 has joined #airshipit | 03:38 | |
| *** timClicks has quit IRC | 05:30 | |
| *** roman_g has quit IRC | 05:31 | |
| *** jamesgu has quit IRC | 05:33 | |
| *** roman_g has joined #airshipit | 05:34 | |
| openstackgerrit | Jenkins Uplifter proposed airship/treasuremap master: Auto chart/image uplift to latest https://review.opendev.org/698835 | 05:49 |
| *** jamesgu has joined #airshipit | 05:51 | |
| *** jamesgu has quit IRC | 05:58 | |
| *** roman_g has quit IRC | 06:06 | |
| *** lemko has joined #airshipit | 06:59 | |
| *** rezroo has quit IRC | 08:16 | |
| openstackgerrit | Deepak proposed airship/airshipctl master: AIR-61 - Adding gate test in zuul for vbmc https://review.opendev.org/690870 | 12:31 |
| *** pgaxatte has joined #airshipit | 13:29 | |
| *** alexanderhughes has joined #airshipit | 13:48 | |
| openstackgerrit | Alexander Hughes proposed airship/governance master: Grandfathered committee members clarification https://review.opendev.org/698810 | 13:56 |
| *** pgaxatte has quit IRC | 14:17 | |
| openstackgerrit | Deepak proposed airship/airshipctl master: AIR-61 - Adding gate test in zuul for vbmc https://review.opendev.org/690870 | 14:18 |
| openstackgerrit | Deepak proposed airship/airshipctl master: AIR-61 - Adding gate test in zuul for vbmc https://review.opendev.org/690870 | 14:36 |
| *** nick_kar has quit IRC | 14:40 | |
| openstackgerrit | Alexander Hughes proposed airship/airshipctl master: [WIP] Minor documentation cleanup https://review.opendev.org/698920 | 14:44 |
| openstackgerrit | Alexander Hughes proposed airship/airshipctl master: [WIP] Minor documentation cleanup https://review.opendev.org/698920 | 14:44 |
| *** graysonh has joined #airshipit | 14:45 | |
| openstackgerrit | Merged airship/spyglass master: [FIX] Bug fix for template path ValueError https://review.opendev.org/694848 | 14:46 |
| *** pgaxatte has joined #airshipit | 14:50 | |
| openstackgerrit | Alexander Hughes proposed airship/airshipctl master: [WIP] Minor documentation cleanup https://review.opendev.org/698920 | 14:52 |
| *** jamesgu_ has quit IRC | 14:56 | |
| *** pgaxatte has quit IRC | 15:08 | |
| *** spilla has joined #airshipit | 15:14 | |
| *** GP_singh has joined #airshipit | 15:57 | |
| GP_singh | Hi All | 16:01 |
| GP_singh | I am facing an issue when I am trying to deploy a chart using armada cli from inside k8s job | 16:01 |
| openstackgerrit | Alexander Hughes proposed airship/airshipctl master: Minor documentation cleanup https://review.opendev.org/698920 | 16:01 |
| GP_singh | same thing works from inside the docker container | 16:02 |
| GP_singh | ERROR armada.cli HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"locks.armada.process is forbidden: User \"system:serviceaccount:default:default\" cannot create resource \"locks\" in API group \"armada.process\" in the namespace | 16:03 |
| GP_singh | \"kube-system\"","reason":"Forbidden","details":{"group":"armada.process","kind":"locks"},"code":403} | 16:03 |
| GP_singh | this is the error I get | 16:03 |
| *** rezroo has joined #airshipit | 16:07 | |
| openstackgerrit | Ryan Schroder proposed airship/spyglass master: Spyglass Docs Update https://review.opendev.org/695539 | 16:07 |
| openstackgerrit | Ian Pittwood proposed airship/airshipctl master: [WIP] Add document pull command https://review.opendev.org/698955 | 16:32 |
| *** jamesgu has joined #airshipit | 16:36 | |
| openstackgerrit | Alexander Hughes proposed airship/airshipctl master: Minor documentation cleanup https://review.opendev.org/698920 | 16:38 |
| mattmceuen | hey GP_singh: I believe that when the armada CLI is run, it leverages the user's kubeconfig - so if the user running the CLI has appropriate permissions, they're able to create the lock | 16:50 |
| mattmceuen | if you're running the CLI from within a Job, without the an authenticated user set up running the CLI, then I expect you'd see that error | 16:51 |
| mattmceuen | So you may just need to set up your job with an authenticated serviceaccount (or call the Armada API) | 16:53 |
| mattmceuen | *authorized serviceaccount | 16:54 |
| *** graysonh has quit IRC | 17:01 | |
| GP_singh | the job is on a different cluster | 17:04 |
| GP_singh | and I am targeting a different cluster | 17:04 |
| GP_singh | I tried running kubectl command inside the k8s job as well and those seem to work | 17:04 |
| *** michael-beaver has joined #airshipit | 17:09 | |
| mattmceuen | The error message is saying that the CLI is being run as the default serviceaccount, which doesn't have permission to create the armada lock CR (you don't want any random actor creating armada locks). Is the kubectl command that works a readonly command like "get pods"? Is the target cluster configured to display pods to unauthenticated users? That might explain the behavior | 17:10 |
| GP_singh | I tried create some resources using kubectl as well | 17:11 |
| GP_singh | As far as I understand armada uses the user mentioned under /armada/.kube/config. The file at that location has admin user details. So, should not be a problem, right? | 17:13 |
| mattmceuen | Let me make sure I understand -- you have two clusters, a "source" and a "target" | 17:17 |
| mattmceuen | The source cluster is running a job | 17:17 |
| mattmceuen | The job's container has /armada/.kube/config mounted into it, and is set up with admin credentials for the target (as opposed to the source) cluster | 17:17 |
| mattmceuen | Kubectl is run inside the job's container, and is able to create resources in the target cluster [what kubeconfig credentials are being used for this?] | 17:17 |
| mattmceuen | Armada CLI is run inside the job's container, pointed at the target cluster, and you get the error indicating that the action is being attempted by system:serviceaccount:default:default ? | 17:17 |
| mattmceuen | Is that all accurate? | 17:17 |
| GP_singh | yes | 17:19 |
| GP_singh | that is all correct | 17:20 |
| GP_singh | Kubectl is run inside the job's container, and is able to create resources in the target cluster [what kubeconfig credentials are being used for this?] | 17:20 |
| GP_singh | to answer this | 17:20 |
| GP_singh | it is using the same config which is being passed to armada | 17:20 |
| GP_singh | $HOME/.kube/config -- where $HOME is /armada | 17:21 |
| mattmceuen | I have a theory what's going on: | 17:25 |
| mattmceuen | https://opendev.org/airship/armada/src/branch/master/armada/handlers/k8s.py#L43-L46 | 17:26 |
| mattmceuen | Armada first tries to load the "in cluster config" using the kubernetes client library, and only if that fails, it tries to load "out of cluster config" from disk | 17:27 |
| GP_singh | oops | 17:27 |
| GP_singh | how can we bypass this? | 17:27 |
| mattmceuen | Since you're running the cli from within a job, I bet the "source" cluster's (default) user is being used | 17:27 |
| GP_singh | is there a way we can force it to use the passed config? | 17:27 |
| GP_singh | yes that is correct | 17:28 |
| GP_singh | source cluster is using default user | 17:28 |
| mattmceuen | I think a "force" option might require a code change to armada | 17:28 |
| *** openstackgerrit has quit IRC | 17:29 | |
| GP_singh | nothing can be done without a code change? | 17:29 |
| mattmceuen | dwalt: any other thoughts on this, or other good ideas besides adding a --force-kube-config options or some such | 17:29 |
| mattmceuen | I'm not certain where load_kube_config() gets its values from -- if it's environment variables, maybe you could just unset the right variable in your script prior to invoking Armada CLI | 17:31 |
| *** openstackgerrit has joined #airshipit | 17:32 | |
| openstackgerrit | Stas Egorov proposed airship/pegleg master: Uplift promenade for using containerd https://review.opendev.org/697389 | 17:32 |
| GP_singh | thanks Matt this was of great help :) | 17:32 |
| mattmceuen | (I mean, load_incluster_config) | 17:32 |
| dwalt | ++ to everything mattmceuen has said. For reference, here is the method being called, which uses environment variables: https://github.com/kubernetes-client/python-base/blob/a2d1024524de78b62e5f9aa72d34cb9ea9de2b97/config/incluster_config.py#L87 | 17:37 |
| mattmceuen | Sure thing GP_singh - dwalt found the k8s source with the env variables to try unsetting^^ | 17:38 |
| mattmceuen | We want to throw one of those ConfigExceptions back to Armada, and then Armada should pull the file off the disk. Let us know how it works for you! | 17:38 |
| *** GP_singh has quit IRC | 17:39 | |
| openstackgerrit | Merged airship/airshipui master: Upgrade to octant 0.9.1 https://review.opendev.org/694858 | 17:43 |
| *** graysonh has joined #airshipit | 17:44 | |
| openstackgerrit | eric welch proposed airship/deckhand master: Yaml linting gates (sixth commit WIP) Change-Id: I4cf78172b71e8fa0c4de5072b51a1fd90fee595a https://review.opendev.org/693935 | 17:47 |
| openstackgerrit | Merged airship/airshipui master: Add argo-ui as an iframe https://review.opendev.org/694896 | 17:51 |
| openstackgerrit | eric welch proposed airship/deckhand master: Yaml linting gates (seventh commit WIP) Change-Id: I4cf78172b71e8fa0c4de5072b51a1fd90fee595a https://review.opendev.org/693935 | 18:18 |
| openstackgerrit | Merged airship/pegleg master: Uplift promenade for using containerd https://review.opendev.org/697389 | 18:32 |
| *** gp_singh84 has joined #airshipit | 18:43 | |
| gp_singh84 | Hey mattmceuen thanks for the tip | 18:44 |
| gp_singh84 | I got around the issue | 18:44 |
| *** lemko has quit IRC | 18:48 | |
| openstackgerrit | Gary W. Smith proposed airship/airshipui master: Add unit tests to airshipui plugin https://review.opendev.org/686031 | 18:58 |
| openstackgerrit | Gary W. Smith proposed airship/airshipui master: Integrate golangci-lint linter https://review.opendev.org/697392 | 18:58 |
| openstackgerrit | Gary W. Smith proposed airship/airshipui master: Add gate, check jobs for zuul https://review.opendev.org/697570 | 18:58 |
| mattmceuen | that's great news gp_singh84 | 18:58 |
| *** gp_singh84 has quit IRC | 19:11 | |
| *** michael-beaver has quit IRC | 19:37 | |
| *** rezroo has quit IRC | 19:43 | |
| openstackgerrit | Sreejith Punnapuzha proposed airship/porthole master: [WIP] Fix postgresql utility https://review.opendev.org/691122 | 19:46 |
| clarkb | heads up I think the deckhand functional docker jobs may be failing because the become_user here https://opendev.org/openstack/openstack-helm-infra/src/branch/master/roles/deploy-docker/tasks/deploy-ansible-docker-support.yaml#L26-L37 is not valid with ansible 2.8 | 19:56 |
| clarkb | I think it was valid with ansible 2.7 but zuul recently updates its default ansible version to 2.8. You'll either want to ping ansible on those jobs to 2.7 or update OSH to push the become down into the role | 19:57 |
| clarkb | I don't think the OSH jobs notes though? at least they haven't run recently enough to be caught by my logstash query | 19:57 |
| openstackgerrit | Merged airship/porthole master: Calicoctl-utility python and Ubuntu upgrade. https://review.opendev.org/696809 | 20:02 |
| openstackgerrit | diwakar thyagaraj proposed airship/porthole master: Etcdctl utility container image python and Ubuntu upgrades https://review.opendev.org/696075 | 20:16 |
| mattmceuen | thanks for the heads-up clarkb! | 20:18 |
| openstackgerrit | Ian Pittwood proposed airship/airshipctl master: [WIP] Add document pull command https://review.opendev.org/698955 | 20:24 |
| *** graysonh has quit IRC | 20:35 | |
| *** michael-beaver has joined #airshipit | 20:38 | |
| openstackgerrit | diwakar thyagaraj proposed airship/porthole master: Editorial changes to documentation files https://review.opendev.org/697368 | 20:40 |
| openstackgerrit | diwakar thyagaraj proposed airship/porthole master: Ceph-utility python and Ubuntu upgrade. https://review.opendev.org/696813 | 20:41 |
| openstackgerrit | Ryan Schroder proposed airship/spyglass master: Docker image guide https://review.opendev.org/699016 | 20:57 |
| openstackgerrit | Ryan Schroder proposed airship/spyglass master: Docker image guide https://review.opendev.org/699016 | 21:00 |
| openstackgerrit | Merged airship/porthole master: Enable runtime-default Apparmor Profile to Postgresql Utility Container. https://review.opendev.org/696142 | 21:03 |
| *** AlexNoskov has joined #airshipit | 21:05 | |
| openstackgerrit | diwakar thyagaraj proposed airship/porthole master: Postgresql UC Python and Ubuntu upgrade. https://review.opendev.org/699026 | 21:37 |
| openstackgerrit | Merged airship/promenade master: Ubuntu 18.04, configure chrony https://review.opendev.org/697722 | 22:09 |
| openstackgerrit | Kaspars Skels proposed airship/treasuremap master: Fix: Set proper version for curator https://review.opendev.org/699032 | 22:14 |
| *** KeithMnemonic1 has joined #airshipit | 22:15 | |
| *** KeithMnemonic has quit IRC | 22:19 | |
| *** michael-beaver has quit IRC | 22:48 | |
| *** KeithMnemonic1 has quit IRC | 23:19 | |
| *** spilla has quit IRC | 23:24 | |
| openstackgerrit | Merged airship/airshipui master: Add unit tests to airshipui plugin https://review.opendev.org/686031 | 23:45 |
| *** alexanderhughes has quit IRC | 23:47 | |
| *** jamesgu has quit IRC | 23:58 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!