Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Namspace scoped installation of the operator #466

Open
IlonkaO opened this issue Dec 10, 2024 · 3 comments
Open

Namspace scoped installation of the operator #466

IlonkaO opened this issue Dec 10, 2024 · 3 comments
Labels
chart( operator ) Related to the operator (cloudnative-pg) chart

Comments

@IlonkaO
Copy link

IlonkaO commented Dec 10, 2024

I want to run the cloudnative-pg operator in a namespace on an OpenShift cluster with the helm chart. My user has the project admin role and the cloudnative-pg-admin role. The CRDs and the clusterroles are provided through the plattform team.

In the values.yaml I deactivated the admissionConfigs and the clusterwide watch. Also RBAC is deactivated to prevent the installation of the clusterroles.

The installation via helm was successfully! But after that the operator pod itself fails in the CrashLoopBackoff. After a short look in the logs I could see that the operator tries to create admissionConfigs

{"level":"info","ts":"2024-12-09T16:23:42.6716422Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.24.1","build":{"Version":"1.24.1","Commit":"3f96930d","Date":"2024-10-16"}}
{"level":"info","ts":"2024-12-09T16:23:42.671803415Z","logger":"setup","msg":"Listening for changes","watchNamespaces":["test-cloudnative-pg"]}
{"level":"info","ts":"2024-12-09T16:23:42.672635136Z","logger":"setup","msg":"Loading configuration from ConfigMap","namespace":"test-cloudnative-pg","name":"cnpg-controller-manager-config"}
{"level":"info","ts":"2024-12-09T16:23:42.686428846Z","logger":"setup","msg":"Operator configuration loaded","configuration":{"webhookCertDir":"","pluginSocketDir":"/plugins","watchNamespace":"test-cloudnative-pg","operatorNamespace":"test-cloudnative-pg","operatorPullSecretName":"cnpg-pull-secret","operatorImageName":"docker-dev.art.strive.bamf.in.bund.de/bamf/bdop/cloudnative-pg/cloudnative-pg:1.24.1","postgresImageName":"ghcr.io/cloudnative-pg/postgresql:17.0","inheritedAnnotations":null,"inheritedLabels":null,"monitoringQueriesConfigmap":"cnpg-default-monitoring","monitoringQueriesSecret":"","enableInstanceManagerInplaceUpdates":false,"enableAzurePVCUpdates":false,"certificateDuration":90,"expiringCheckThreshold":7,"createAnyService":false}}
{"level":"info","ts":"2024-12-09T16:23:42.691689619Z","logger":"setup","msg":"Kubernetes system metadata","haveSCC":true,"haveVolumeSnapshot":true,"availableArchitectures":[{"GoArch":"amd64"},{"GoArch":"arm64"}]}
{"level":"error","ts":"2024-12-09T16:23:42.770099046Z","logger":"setup","msg":"unable to setup PKI infrastructure","error":"mutatingwebhookconfigurations.admissionregistration.k8s.io \"cnpg-mutating-webhook-configuration\" is forbidden: User \"system:serviceaccount:test-cloudnative-pg:cloudnative-pg\" cannot get resource \"mutatingwebhookconfigurations\" in API group \"admissionregistration.k8s.io\" at the cluster scope","stacktrace":"github.com/cloudnative-pg/machinery/pkg/log.(*logger).Error\n\tpkg/mod/github.com/cloudnative-pg/[email protected]/pkg/log/log.go:125\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/controller.ensurePKI\n\tinternal/cmd/manager/controller/controller.go:395\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/controller.RunController\n\tinternal/cmd/manager/controller/controller.go:217\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/controller.NewCmd.func1\n\tinternal/cmd/manager/controller/cmd.go:42\ngithub.com/spf13/cobra.(*Command).execute\n\tpkg/mod/github.com/spf13/[email protected]/command.go:985\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\tpkg/mod/github.com/spf13/[email protected]/command.go:1117\ngithub.com/spf13/cobra.(*Command).Execute\n\tpkg/mod/github.com/spf13/[email protected]/command.go:1041\nmain.main\n\tcmd/manager/main.go:68\nruntime.main\n\t/opt/hostedtoolcache/go/1.23.2/x64/src/runtime/proc.go:272"}

Expected behaviour:
If I deactivate the admissionConfigs I'd ecpect that the operator don't try to create any admissionConfigs. This obvious is different.

values.yaml.txt
@mrksngl
Copy link
Contributor

mrksngl commented Dec 18, 2024

One thing I noticed is, that config.clusterWide is not working as expected:

charts/charts/cloudnative-pg/templates/deployment.yaml

Line 82 in afa1273

{{ if not .Values.config.clusterWide -}}

and the lines below suggest, that there should be a environment variable WATCH_NAMESPACE: …, but it doesn't show up in the deployment.

I'm not completely familiar with helm syntax, but it looks like the hyphen went to the wrong end here: instead of {{- … }} (like it does in all other lines, it says {{ … -}} here.

Maybe you can fix the issue until this is resolved by using

config:
  data:
    WATCH_NAMESPACE: [your namespace here]

@mrksngl
Copy link
Contributor

mrksngl commented Dec 18, 2024
edited
Loading

Fixed it locally and it seems my guess was right. Created PR #473

It's funny that the PR requires a "Deploy the operator in single-namespace mode". Raises the question what this check has been good for in the past when it supposedly couldn't find this bug in this setting I assume to be rather essential for "single-namespace mode". 😄

@NiccoloFei NiccoloFei added the chart( operator ) Related to the operator (cloudnative-pg) chart label Dec 18, 2024
@icekom
Copy link

icekom commented Dec 23, 2024

Related to #344 and cloudnative-pg/cloudnative-pg#3753

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
chart( operator ) Related to the operator (cloudnative-pg) chart
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mrksngl @IlonkaO @icekom @NiccoloFei