Helm install failed beause of the cert-job

[kinderyj]

In the Master branch, I install the operator by using helm3 install and find that the cert-job is in error status.

kubectl get pod -n flink-operator-system NAME READY STATUS RESTARTS AGE cert-job-d8qsc 0/1 Error 0 8m23s flink-operator-controller-manager-7db8b6c777-dxvvr 0/2 ContainerCreating 0 8m23s

kubectl logs -n flink-operator-system cert-job-d8qsc cert.sh

• service=flink-operator-webhook-service
• secret=webhook-server-cert
• namespace=flink-operator-system
• csrName=flink-operator-webhook-service.flink-operator-system ... from server for: "STDIN": secrets "webhook-server-cert" is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot get resource "secrets" in API group "" in the namespace "flink-operator-system"

[kinderyj]

It's caused by https://github.com/GoogleCloudPlatform/flink-on-k8s-operator/commit/93a5bb2a4b5d0a5ed6ff830d766ce3ef3ab7229d The secrets is removed from the yaml. Does anybody knows the reason? Thanks.

[hongyegong]

What commands exactly did you run to install? Cannot reproduce from my side.

[kinderyj]

What commands exactly did you run to install? Cannot reproduce from my side.

Thanks for your response. Here is my flow.

helm3 repo add flink-operator-repo https://googlecloudplatform.github.io/flink-on-k8s-operator/ helm3 fetch flink-operator-repo/flink-operator tar zxvf flink-operator-0.1.1.tgz helm3 install testop ./flink-operator --set operatorImage.name=$my-operator-image

kubectl logs -n flink-operator-system   cert-job-zd7rb
cert.sh
+ service=flink-operator-webhook-service
+ secret=webhook-server-cert
+ namespace=flink-operator-system
+ csrName=flink-operator-webhook-service.flink-operator-system
++ mktemp -d
+ tmpdir=/tmp/tmp.9mbAlwdnbw
+ echo 'Creating certs in tmpdir /tmp/tmp.9mbAlwdnbw '
+ cat
Creating certs in tmpdir /tmp/tmp.9mbAlwdnbw
+ openssl req -nodes -new -x509 -keyout ca.key -out ca.crt -subj '/CN=Admission Controller Webhook CA'
Can't load /root/.rnd into RNG
139673035747776:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
Generating a RSA private key
............+++++
.................................................................................................+++++
writing new private key to 'ca.key'
-----
+ openssl genrsa -out /tmp/tmp.9mbAlwdnbw/server-key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................................................+++++
.....................+++++
e is 65537 (0x010001)
+ openssl req -new -key /tmp/tmp.9mbAlwdnbw/server-key.pem -subj /CN=flink-operator-webhook-service.flink-operator-system.svc -config /tmp/tmp.9mbAlwdnbw/csr.conf
+ openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -out /tmp/tmp.9mbAlwdnbw/server-cert.pem
Signature ok
subject=CN = flink-operator-webhook-service.flink-operator-system.svc
Getting CA Private Key
++ openssl base64 -A -in /tmp/tmp.9mbAlwdnbw/server-cert.pem
+ serverCert=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR3Q0ZBYXNWUjN1WWlEVTJjNmlLZVZEOXNFQ3FHQTdNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1Db3gKS0RBbUJnTlZCQU1NSDBGa2JXbHpjMmx2YmlCRGIyNTBjbTlzYkdWeUlGZGxZbWh2YjJzZ1EwRXdIaGNOTWpBdwpOREk1TURVeE1qQTJXaGNOTWpBd05USTVNRFV4TWpBMldqQkRNVUV3UHdZRFZRUURERGhtYkdsdWF5MXZjR1Z5CllYUnZjaTEzWldKb2IyOXJMWE5sY25acFkyVXVabXhwYm1zdGIzQmxjbUYwYjNJdGMzbHpkR1Z0TG5OMll6Q0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMUmNQTzk1VVhCVGMrN1Nxb0NIVkVRWgpZN2tlMUdWckFuZGdTM2ZtQ0Rld0RrY1FOUzFEWVRzV2NFK3IxaGVmNnFjUVZMOHdsUklWWFMyM3pXdnpUc24yCkt0TWVpdU1uTDdxN2pWRnN6aGZLSjl5UmRmYzZuS0hITm9mNkV5a0RuWDlHdnJ0S1VnM1ljQzhjbnR6aDB1MTAKcVRVZEJSUmRDdWh2M3ZIRXhxY1FGeEkzcnRZM1h5V2ZEL0FncjFqV0FKeEpwNC9kNEJXN2NqdGlHay9OOWNYUgpDSzcvV2FPRVZQVnZDbk8wcGN3VkVQNFlWYWczMjI5cGxYMTdKY3NDSWJOWEd5a2dmeWdBeUZOU1g3cGdRcWd3ClZ2T3FLWjJQMHpqbUpmVGRQNDd0TTc2aHRVZFBnUlR0SFU0Y1Z0WFBNaHJyWEJKaTBid0NnU1FxNjBzTTZaTUMKQXdFQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFMUGg4cFFuZjFVWUx2UHhIRmtWZTBadmxlK2cxWXBVawo5U1BUQ20zVDVrbStwSHJqUXFVYUVMd3NkdVJ2dlhrZjJJL0trSWk5UEl2eWhlcGd5alNzbXBYMy9tZC9xMFBhCmVxbWxxME1OQzBibTBnYW5GOU51aU5XeDZySnZ0cUZhVXpwNkVMcjNBREhxRnBwUVBHeXlZa0RsMTVRbktSTmEKVGpxREpLK25jV1lDMXBPM2I4R0RDR3VzNWhFMjYvUUpVYytEUGRBYkhreTY0cjV0bHRPODV2OHNFZWtsVzBpUwpmeXpaZDFpdU1IUytweG5tejhPeGZDZFRTSjVDQ1lEc3pZMjRBYXZrOVpqRGlMcVJiTTBMZkowekt0a3JEOVBBCm5kRVhITnRiS3d0TlExUEJLVktjR1FVSHN0RmJ6MjZ6MlB3M1huaXZicStMSWhwak1MTVhUZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ [[ -z LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR3Q0ZBYXNWUjN1WWlEVTJjNmlLZVZEOXNFQ3FHQTdNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1Db3gKS0RBbUJnTlZCQU1NSDBGa2JXbHpjMmx2YmlCRGIyNTBjbTlzYkdWeUlGZGxZbWh2YjJzZ1EwRXdIaGNOTWpBdwpOREk1TURVeE1qQTJXaGNOTWpBd05USTVNRFV4TWpBMldqQkRNVUV3UHdZRFZRUURERGhtYkdsdWF5MXZjR1Z5CllYUnZjaTEzWldKb2IyOXJMWE5sY25acFkyVXVabXhwYm1zdGIzQmxjbUYwYjNJdGMzbHpkR1Z0TG5OMll6Q0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMUmNQTzk1VVhCVGMrN1Nxb0NIVkVRWgpZN2tlMUdWckFuZGdTM2ZtQ0Rld0RrY1FOUzFEWVRzV2NFK3IxaGVmNnFjUVZMOHdsUklWWFMyM3pXdnpUc24yCkt0TWVpdU1uTDdxN2pWRnN6aGZLSjl5UmRmYzZuS0hITm9mNkV5a0RuWDlHdnJ0S1VnM1ljQzhjbnR6aDB1MTAKcVRVZEJSUmRDdWh2M3ZIRXhxY1FGeEkzcnRZM1h5V2ZEL0FncjFqV0FKeEpwNC9kNEJXN2NqdGlHay9OOWNYUgpDSzcvV2FPRVZQVnZDbk8wcGN3VkVQNFlWYWczMjI5cGxYMTdKY3NDSWJOWEd5a2dmeWdBeUZOU1g3cGdRcWd3ClZ2T3FLWjJQMHpqbUpmVGRQNDd0TTc2aHRVZFBnUlR0SFU0Y1Z0WFBNaHJyWEJKaTBid0NnU1FxNjBzTTZaTUMKQXdFQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFMUGg4cFFuZjFVWUx2UHhIRmtWZTBadmxlK2cxWXBVawo5U1BUQ20zVDVrbStwSHJqUXFVYUVMd3NkdVJ2dlhrZjJJL0trSWk5UEl2eWhlcGd5alNzbXBYMy9tZC9xMFBhCmVxbWxxME1OQzBibTBnYW5GOU51aU5XeDZySnZ0cUZhVXpwNkVMcjNBREhxRnBwUVBHeXlZa0RsMTVRbktSTmEKVGpxREpLK25jV1lDMXBPM2I4R0RDR3VzNWhFMjYvUUpVYytEUGRBYkhreTY0cjV0bHRPODV2OHNFZWtsVzBpUwpmeXpaZDFpdU1IUytweG5tejhPeGZDZFRTSjVDQ1lEc3pZMjRBYXZrOVpqRGlMcVJiTTBMZkowekt0a3JEOVBBCm5kRVhITnRiS3d0TlExUEJLVktjR1FVSHN0RmJ6MjZ6MlB3M1huaXZicStMSWhwak1MTVhUZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K ]]
++ echo LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR3Q0ZBYXNWUjN1WWlEVTJjNmlLZVZEOXNFQ3FHQTdNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1Db3gKS0RBbUJnTlZCQU1NSDBGa2JXbHpjMmx2YmlCRGIyNTBjbTlzYkdWeUlGZGxZbWh2YjJzZ1EwRXdIaGNOTWpBdwpOREk1TURVeE1qQTJXaGNOTWpBd05USTVNRFV4TWpBMldqQkRNVUV3UHdZRFZRUURERGhtYkdsdWF5MXZjR1Z5CllYUnZjaTEzWldKb2IyOXJMWE5sY25acFkyVXVabXhwYm1zdGIzQmxjbUYwYjNJdGMzbHpkR1Z0TG5OMll6Q0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMUmNQTzk1VVhCVGMrN1Nxb0NIVkVRWgpZN2tlMUdWckFuZGdTM2ZtQ0Rld0RrY1FOUzFEWVRzV2NFK3IxaGVmNnFjUVZMOHdsUklWWFMyM3pXdnpUc24yCkt0TWVpdU1uTDdxN2pWRnN6aGZLSjl5UmRmYzZuS0hITm9mNkV5a0RuWDlHdnJ0S1VnM1ljQzhjbnR6aDB1MTAKcVRVZEJSUmRDdWh2M3ZIRXhxY1FGeEkzcnRZM1h5V2ZEL0FncjFqV0FKeEpwNC9kNEJXN2NqdGlHay9OOWNYUgpDSzcvV2FPRVZQVnZDbk8wcGN3VkVQNFlWYWczMjI5cGxYMTdKY3NDSWJOWEd5a2dmeWdBeUZOU1g3cGdRcWd3ClZ2T3FLWjJQMHpqbUpmVGRQNDd0TTc2aHRVZFBnUlR0SFU0Y1Z0WFBNaHJyWEJKaTBid0NnU1FxNjBzTTZaTUMKQXdFQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFMUGg4cFFuZjFVWUx2UHhIRmtWZTBadmxlK2cxWXBVawo5U1BUQ20zVDVrbStwSHJqUXFVYUVMd3NkdVJ2dlhrZjJJL0trSWk5UEl2eWhlcGd5alNzbXBYMy9tZC9xMFBhCmVxbWxxME1OQzBibTBnYW5GOU51aU5XeDZySnZ0cUZhVXpwNkVMcjNBREhxRnBwUVBHeXlZa0RsMTVRbktSTmEKVGpxREpLK25jV1lDMXBPM2I4R0RDR3VzNWhFMjYvUUpVYytEUGRBYkhreTY0cjV0bHRPODV2OHNFZWtsVzBpUwpmeXpaZDFpdU1IUytweG5tejhPeGZDZFRTSjVDQ1lEc3pZMjRBYXZrOVpqRGlMcVJiTTBMZkowekt0a3JEOVBBCm5kRVhITnRiS3d0TlExUEJLVktjR1FVSHN0RmJ6MjZ6MlB3M1huaXZicStMSWhwak1MTVhUZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ export CA_PEM_B64=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR3Q0ZBYXNWUjN1WWlEVTJjNmlLZVZEOXNFQ3FHQTdNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1Db3gKS0RBbUJnTlZCQU1NSDBGa2JXbHpjMmx2YmlCRGIyNTBjbTlzYkdWeUlGZGxZbWh2YjJzZ1EwRXdIaGNOTWpBdwpOREk1TURVeE1qQTJXaGNOTWpBd05USTVNRFV4TWpBMldqQkRNVUV3UHdZRFZRUURERGhtYkdsdWF5MXZjR1Z5CllYUnZjaTEzWldKb2IyOXJMWE5sY25acFkyVXVabXhwYm1zdGIzQmxjbUYwYjNJdGMzbHpkR1Z0TG5OMll6Q0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMUmNQTzk1VVhCVGMrN1Nxb0NIVkVRWgpZN2tlMUdWckFuZGdTM2ZtQ0Rld0RrY1FOUzFEWVRzV2NFK3IxaGVmNnFjUVZMOHdsUklWWFMyM3pXdnpUc24yCkt0TWVpdU1uTDdxN2pWRnN6aGZLSjl5UmRmYzZuS0hITm9mNkV5a0RuWDlHdnJ0S1VnM1ljQzhjbnR6aDB1MTAKcVRVZEJSUmRDdWh2M3ZIRXhxY1FGeEkzcnRZM1h5V2ZEL0FncjFqV0FKeEpwNC9kNEJXN2NqdGlHay9OOWNYUgpDSzcvV2FPRVZQVnZDbk8wcGN3VkVQNFlWYWczMjI5cGxYMTdKY3NDSWJOWEd5a2dmeWdBeUZOU1g3cGdRcWd3ClZ2T3FLWjJQMHpqbUpmVGRQNDd0TTc2aHRVZFBnUlR0SFU0Y1Z0WFBNaHJyWEJKaTBid0NnU1FxNjBzTTZaTUMKQXdFQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFMUGg4cFFuZjFVWUx2UHhIRmtWZTBadmxlK2cxWXBVawo5U1BUQ20zVDVrbStwSHJqUXFVYUVMd3NkdVJ2dlhrZjJJL0trSWk5UEl2eWhlcGd5alNzbXBYMy9tZC9xMFBhCmVxbWxxME1OQzBibTBnYW5GOU51aU5XeDZySnZ0cUZhVXpwNkVMcjNBREhxRnBwUVBHeXlZa0RsMTVRbktSTmEKVGpxREpLK25jV1lDMXBPM2I4R0RDR3VzNWhFMjYvUUpVYytEUGRBYkhreTY0cjV0bHRPODV2OHNFZWtsVzBpUwpmeXpaZDFpdU1IUytweG5tejhPeGZDZFRTSjVDQ1lEc3pZMjRBYXZrOVpqRGlMcVJiTTBMZkowekt0a3JEOVBBCm5kRVhITnRiS3d0TlExUEJLVktjR1FVSHN0RmJ6MjZ6MlB3M1huaXZicStMSWhwak1MTVhUZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ CA_PEM_B64=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR3Q0ZBYXNWUjN1WWlEVTJjNmlLZVZEOXNFQ3FHQTdNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1Db3gKS0RBbUJnTlZCQU1NSDBGa2JXbHpjMmx2YmlCRGIyNTBjbTlzYkdWeUlGZGxZbWh2YjJzZ1EwRXdIaGNOTWpBdwpOREk1TURVeE1qQTJXaGNOTWpBd05USTVNRFV4TWpBMldqQkRNVUV3UHdZRFZRUURERGhtYkdsdWF5MXZjR1Z5CllYUnZjaTEzWldKb2IyOXJMWE5sY25acFkyVXVabXhwYm1zdGIzQmxjbUYwYjNJdGMzbHpkR1Z0TG5OMll6Q0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMUmNQTzk1VVhCVGMrN1Nxb0NIVkVRWgpZN2tlMUdWckFuZGdTM2ZtQ0Rld0RrY1FOUzFEWVRzV2NFK3IxaGVmNnFjUVZMOHdsUklWWFMyM3pXdnpUc24yCkt0TWVpdU1uTDdxN2pWRnN6aGZLSjl5UmRmYzZuS0hITm9mNkV5a0RuWDlHdnJ0S1VnM1ljQzhjbnR6aDB1MTAKcVRVZEJSUmRDdWh2M3ZIRXhxY1FGeEkzcnRZM1h5V2ZEL0FncjFqV0FKeEpwNC9kNEJXN2NqdGlHay9OOWNYUgpDSzcvV2FPRVZQVnZDbk8wcGN3VkVQNFlWYWczMjI5cGxYMTdKY3NDSWJOWEd5a2dmeWdBeUZOU1g3cGdRcWd3ClZ2T3FLWjJQMHpqbUpmVGRQNDd0TTc2aHRVZFBnUlR0SFU0Y1Z0WFBNaHJyWEJKaTBid0NnU1FxNjBzTTZaTUMKQXdFQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFMUGg4cFFuZjFVWUx2UHhIRmtWZTBadmxlK2cxWXBVawo5U1BUQ20zVDVrbStwSHJqUXFVYUVMd3NkdVJ2dlhrZjJJL0trSWk5UEl2eWhlcGd5alNzbXBYMy9tZC9xMFBhCmVxbWxxME1OQzBibTBnYW5GOU51aU5XeDZySnZ0cUZhVXpwNkVMcjNBREhxRnBwUVBHeXlZa0RsMTVRbktSTmEKVGpxREpLK25jV1lDMXBPM2I4R0RDR3VzNWhFMjYvUUpVYytEUGRBYkhreTY0cjV0bHRPODV2OHNFZWtsVzBpUwpmeXpaZDFpdU1IUytweG5tejhPeGZDZFRTSjVDQ1lEc3pZMjRBYXZrOVpqRGlMcVJiTTBMZkowekt0a3JEOVBBCm5kRVhITnRiS3d0TlExUEJLVktjR1FVSHN0RmJ6MjZ6MlB3M1huaXZicStMSWhwak1MTVhUZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ kubectl create secret generic webhook-server-cert --from-file=tls.key=/tmp/tmp.9mbAlwdnbw/server-key.pem --from-file=tls.crt=/tmp/tmp.9mbAlwdnbw/server-cert.pem --dry-run -o yaml
+ kubectl -n flink-operator-system apply -f -
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret"
Name: "webhook-server-cert", Namespace: "flink-operator-system"
Object: &{map["apiVersion":"v1" "data":map["tls.crt":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR3Q0ZBYXNWUjN1WWlEVTJjNmlLZVZEOXNFQ3FHQTdNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1Db3gKS0RBbUJnTlZCQU1NSDBGa2JXbHpjMmx2YmlCRGIyNTBjbTlzYkdWeUlGZGxZbWh2YjJzZ1EwRXdIaGNOTWpBdwpOREk1TURVeE1qQTJXaGNOTWpBd05USTVNRFV4TWpBMldqQkRNVUV3UHdZRFZRUURERGhtYkdsdWF5MXZjR1Z5CllYUnZjaTEzWldKb2IyOXJMWE5sY25acFkyVXVabXhwYm1zdGIzQmxjbUYwYjNJdGMzbHpkR1Z0TG5OMll6Q0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMUmNQTzk1VVhCVGMrN1Nxb0NIVkVRWgpZN2tlMUdWckFuZGdTM2ZtQ0Rld0RrY1FOUzFEWVRzV2NFK3IxaGVmNnFjUVZMOHdsUklWWFMyM3pXdnpUc24yCkt0TWVpdU1uTDdxN2pWRnN6aGZLSjl5UmRmYzZuS0hITm9mNkV5a0RuWDlHdnJ0S1VnM1ljQzhjbnR6aDB1MTAKcVRVZEJSUmRDdWh2M3ZIRXhxY1FGeEkzcnRZM1h5V2ZEL0FncjFqV0FKeEpwNC9kNEJXN2NqdGlHay9OOWNYUgpDSzcvV2FPRVZQVnZDbk8wcGN3VkVQNFlWYWczMjI5cGxYMTdKY3NDSWJOWEd5a2dmeWdBeUZOU1g3cGdRcWd3ClZ2T3FLWjJQMHpqbUpmVGRQNDd0TTc2aHRVZFBnUlR0SFU0Y1Z0WFBNaHJyWEJKaTBid0NnU1FxNjBzTTZaTUMKQXdFQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFMUGg4cFFuZjFVWUx2UHhIRmtWZTBadmxlK2cxWXBVawo5U1BUQ20zVDVrbStwSHJqUXFVYUVMd3NkdVJ2dlhrZjJJL0trSWk5UEl2eWhlcGd5alNzbXBYMy9tZC9xMFBhCmVxbWxxME1OQzBibTBnYW5GOU51aU5XeDZySnZ0cUZhVXpwNkVMcjNBREhxRnBwUVBHeXlZa0RsMTVRbktSTmEKVGpxREpLK25jV1lDMXBPM2I4R0RDR3VzNWhFMjYvUUpVYytEUGRBYkhreTY0cjV0bHRPODV2OHNFZWtsVzBpUwpmeXpaZDFpdU1IUytweG5tejhPeGZDZFRTSjVDQ1lEc3pZMjRBYXZrOVpqRGlMcVJiTTBMZkowekt0a3JEOVBBCm5kRVhITnRiS3d0TlExUEJLVktjR1FVSHN0RmJ6MjZ6MlB3M1huaXZicStMSWhwak1MTVhUZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" "tls.key":"LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdEZ3ODczbFJjRk56N3RLcWdJZFVSQmxqdVI3VVpXc0NkMkJMZCtZSU43QU9SeEExCkxVTmhPeFp3VDZ2V0Y1L3FweEJVdnpDVkVoVmRMYmZOYS9OT3lmWXEweDZLNHljdnVydU5VV3pPRjhvbjNKRjEKOXpxY29jYzJoL29US1FPZGYwYSt1MHBTRGRod0x4eWUzT0hTN1hTcE5SMEZGRjBLNkcvZThjVEdweEFYRWpldQoxamRmSlo4UDhDQ3ZXTllBbkVtbmo5M2dGYnR5TzJJYVQ4MzF4ZEVJcnY5Wm80UlU5VzhLYzdTbHpCVVEvaGhWCnFEZmJiMm1WZlhzbHl3SWhzMWNiS1NCL0tBRElVMUpmdW1CQ3FEQlc4Nm9wblkvVE9PWWw5TjAvanUwenZxRzEKUjArQkZPMGRUaHhXMWM4eUd1dGNFbUxSdkFLQkpDcnJTd3pwa3dJREFRQUJBb0lCQUFjdXpUWjBUR3YreHRVeQpDcHhIeDNGVzJZUGIySFdaaDJXZHJpTytRNEdFUDIxUkZlMFJpK1BBaHdTRlFXZDdkT3JtV1ptcm82UXV1YUZDCmVxbmI3TDFhVW1aS0J4bjR5NHZTUUZTSDBzVmJ4YTZoRkdPZUwvSzVibENJQXc5VkY0YWtHS0I0MnorMTZQSFgKWC9SSUFoQjIzdTVBazUwMS8yTTJZVmliajVYRG15U3hwNVZmZGo0U0YwdW1od1dlM0RIL0ZmYWgzTGxYejE3bQpYbnJkNm9scm1tbUs1WEdGZENMS2VkQ1ZGZ3FzZTZ1SEpWTGh6QUdLTXZ4d2Q4QXc2VGk3QTBLQWxaOVhQTzkzCjdJUDZLQ2lKOEF4bWtuSWRjOFlHb1ZTUU5sL1RlNEFUNVVIQ1M0dXRxbEwyWUVKdUQ3RUlxRituV0tQck1vYlAKTHEybkRZRUNnWUVBNGRuV1NBeklyR2VJQW1JK3UwbitERkhwUFNHRW1OMGN5QnZ2TUlOd0cvalA4Qzl3SGNJVwpHM1VrMVprZFMyVDk5bzJhK2NGTm9kczJMNmVSbUlkV3ovYk81ZUJTbUhRek8zdmI4N0RhUFYvc1RxK2hTUWFpCk1jVDViVTUyR2QrMDFPaUxZcmVvRzlmMENYQVNHdlFlTlVMOHBEY0NiVmdhR1lhSWNyOXRiV0VDZ1lFQXpHL1IKWXZWM3dudGNLcHpQRGlKR25JVG54cWh1aHczTmVwU1dTTkdmMG1sV1A5RFhVOFd1ekRZVUFTaGh2T2NqQ1N6dAplOS93YWtzMHVDbnRFRysrQTAzZXVDMG82VUtIZmFyWkdLemRzZGVuMHhJbG9ZMVRjLzR2RnVQWk9iQ2JnR3liCmxoTzRJMVFBaUNJODYvWkI4Y0FwYmtOZmxDR2VaOCt2cWhnYkozTUNnWUIwK2ZiYWFvU2xoeG9TNGYvTDBZOGIKb25GRGtGQzFQQkRrTkZPMnROMGtIOExUakQ1dHExRDM5N3lVUlRHL0V4ZlcwNUVwT3MyU3Y0OVpMMWxodnZkZgp6MTFxQXIzRTZLcUFiSzZIa1ZuMzMrN3M4bHAvRUVpQnJwdmgyWG1oL1JRVUVqM2ZhM0JPdTVOU01CR3dsQy94Ck5qalVkUWwweU9UN3c0cDRwRjF4QVFLQmdRQ0ROalZ1elZ1ck1GL3NYYTZyUkthTGFPWVY1QjdrZ2FCalQ2RFIKWmZHdEs3eVd3dVNoT056QzV1YWFBNkFQalU0NFltU2VRQkhmTnh2RUkreXF3djF5dzNUeVF0SGlQTGdYbVNNegpxaWUwTUZUZnJPTUlPRnZhczhibmF5QU4zZU5BWHZUUk15RFpVOTN2Z2dJVjlIMUl1MndjQUJRRlVEcUtLSXQzCm9YYzBMd0tCZ0ZDU1p4bTU3UDA3VWpsY3N4T1ZSSVRWdlVRT01YVjYyVWlrb1hFWVEwL3dsNEIyL0JlUENPL2sKTDhVN2F6K2VDVURxVHhIUkNtekt0bUdJYTdjaklMcjVkanE2TE1BclA0YnhoUnplYWJFY1h2YzQzdEpzOG42TQpHVGdyMzJFM25TY0hFRVB5UHpNVnZxOHpQMERzcDR4c0FjaFZNMWk5bjBicWl1UXVoSWRLCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="] "kind":"Secret" "metadata":map["annotations":map["kubectl.kubernetes.io/last-applied-configuration":""] "creationTimestamp":<nil> "name":"webhook-server-cert" "namespace":"flink-operator-system"]]}
from server for: "STDIN": secrets "webhook-server-cert" is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot get resource "secrets" in API group "" in the namespace "flink-operator-system"

By the way, has the image gcr.io/flink-operator/deployer:webhook-cert been changed recently?

[hongyegong]

Do you have to make any local change to the operator? if not, could you try directly install with helm install --name [RELEASE_NAME] flink-operator-repo/flink-operator instead of fetching it and install from local folder?

[kinderyj]

I didn''t change the opetator and I tried with the flink-operator image as below:

gcr.io/flink-operator/flink-operator latest afc62deadfbb 3 weeks ago 43.1MB

New test flow as below, also can get this issue.

1) helm repo add flink-operator-repo https://googlecloudplatform.github.io/flink-on-k8s-operator/
2) helm install  test-this-issue-from-repo  flink-operator-repo/flink-operator --set operatorImage.name=gcr.io/flink-operator/flink-operator:latest

And this flow can also reproduce the issue:

1) wget https://github.com/GoogleCloudPlatform/flink-on-k8s-operator/archive/master.zip
2) unzip master.zip  && cd flink-on-k8s-operator-master/
3) helm repo add flink-operator-repo https://googlecloudplatform.github.io/flink-on-k8s-operator/
4) helm install  test-this-issue-from-local ./helm-chart/flink-operator/ --set operatorImage.name=gcr.io/flink-operator/flink-operator:latest

Finally, I use the 0.1.1 release version, the cert-job is installed successfully:

1) wget https://github.com/GoogleCloudPlatform/flink-on-k8s-operator/archive/flink-operator-0.1.1.zip
2) unzip flink-operator-0.1.1.zip && cd flink-on-k8s-operator-flink-operator-0.1.1/
3) helm repo add flink-operator-repo https://googlecloudplatform.github.io/flink-on-k8s-operator/
4) helm install  test-this-issue-from-local ./helm-chart/flink-operator/ --set operatorImage.name=gcr.io/flink-operator/flink-operator:latest

kubectl get pod --all-namespaces
NAMESPACE               NAME                                                 READY   STATUS             RESTARTS   AGE
flink-operator-system   cert-job-xgbm6                                       0/1     Completed

[vla6t0r]

I'm getting the same issue even with the latest 0.1.1 release version. @hongyegong, what's the reason for removing these rules https://github.com/GoogleCloudPlatform/flink-on-k8s-operator/commit/93a5bb2a4b5d0a5ed6ff830d766ce3ef3ab7229d#diff-a44b6c555165f54dd8785bd815a654dcL178-L201 ? If I update the role in line with the removed rules the cert-job completes without issues.

[dr3s]

Also failing on 0.1.1 release MountVolume.SetUp failed for volume "cert" : secret "webhook-server-cert" not found

> helm repo add flink-operator-repo https://googlecloudplatform.github.io/flink-on-k8s-operator/
> helm install flink-ops flink-operator-repo/flink-operator --set operatorImage.name=gcr.io/flink-operator/flink-operator:0.1.1

[hongyegong]

@dr3s can you paste the log here, based on comments above you should see cert-job completed successfully with operator version 0.1.1.

@smainv That got removed cuz it was in line with operator at the time.

[dr3s]

which log? this is what I got: MountVolume.SetUp failed for volume "cert" : secret "webhook-server-cert" not found

btw, used make deploy on master instead and it works

[vla6t0r]

which log? this is what I got: MountVolume.SetUp failed for volume "cert" : secret "webhook-server-cert" not found

btw, used make deploy on master instead and it works

you have to provide the logs from the kubernetes pod which runs the job cert-job kubectl get pod -n flink-operator-system |grep cert-job then get the logs from kubectl logs cert-job-<something> -n flink-operator-system

I'm sure you'll get something like which contains..secrets "webhook-server-cert" is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot get resource "secrets" in API group "" in the namespace "flink-operator-system"

this is related to the change https://github.com/GoogleCloudPlatform/flink-on-k8s-operator/commit/93a5bb2a4b5d0a5ed6ff830d766ce3ef3ab7229d#diff-a44b6c555165f54dd8785bd815a654dcL178-L201 I mentioned above that these access rules have been removed recently.

[dr3s]

indeed that is the error. I also tried release v1beta1-3 and latest. Same Error.

v1beta1-3 seems to have been released before that commit. https://console.cloud.google.com/gcr/images/flink-operator/GLOBAL/flink-operator@sha256:023148f9794ebd40a06ee068ecee7cd07a4082d36fa72d905b4df9fc72aab891/details?tab=info

[batas]

This issue is resolved on master. Is it possible to release new version of flink-operator helm chart?

[jneo8]

I'm getting the same issue on GKE

[FcoLopera]

Same error here. Any idea on when this will be released?

[memorais]

There is any workaround on this?

[FcoLopera]

@memorais not sure where I read it, but I changed at Makefile:

go get sigs.k8s.io/controller-tools/cmd/[email protected] ;\

with =>

go get sigs.k8s.io/controller-tools/cmd/[email protected] ;\

That change, also makes the file flinkoperator.k8s.io_flinkclusters.yaml to change:

• change controller:

controller-gen.kubebuilder.io/version: v0.3.0

=>

controller-gen.kubebuilder.io/version: v0.2.4

• removes the service account:

serviceAccountName:
  type: string

• changes divisor:

divisor:
  anyOf:
  - type: integer
  - type: string
  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
  x-kubernetes-int-or-string: true

  => 

 divisor:
   type: string

Once I did those changes, I execute a normal deploy from the repo and it creates the operator:

make deploy IMG=gcr.io/flink-operator/flink-operator:latest

I tested it by deploying a flink cluster:

kubectl apply -f config/samples/flinkoperator_v1beta1_flinksessioncluster.yaml

With those changes, it starts working for me at least.

Please tell us if this workaround works also for you :)

[koi8-r]

Thank you, it works for me on newly installed K3s!

[qixing-ai]

2个镜像没法从中国下载被墙了 gcr.io/flink-operator/deployer:webhook-cert gcr.io/kubebuilder/kube-rbac-proxy docker.hub没有找到相关的替代镜像

[streetmapp]

So the workarounds work, but this doesn't really help in the case of trying to use the helm chart. What is needed in order for this to get rolled out into the Helm repo?