[BUG] Generated svc seems to be invalid when using namespaced and manually making secret

[samip5]

Describe the bug When trying to deploy a onionService, it fails with spec.ports being invalid on the resulting svc but I did not set those.

To Reproduce

1. Use chart version 0.1.10.
2. Try to deploy your own onion hidden service using already existing secret

Expected behavior I would have expected it to work out of the box.

Additional information

1.6760656458278763e+09  INFO    setup   Namespaced mode. Namespace=tor
I0210 23:47:26.879122       1 request.go:665] Waited for 1.042846605s due to client-side throttling, not priority and fairness, request: GET:https://10.96.0.1:443/apis/flowcontrol.apiserver.k8s.io/v1beta2?timeout=32s
1.6760656517309356e+09  INFO    controller-runtime.metrics      Metrics server is starting to listen    {"addr": "127.0.0.1:8080"}
1.6760656517313352e+09  INFO    setup   starting manager
1.67606565173157e+09    INFO    Starting server {"path": "/metrics", "kind": "metrics", "addr": "127.0.0.1:8080"}
1.6760656517315936e+09  INFO    Starting server {"kind": "health probe", "addr": "[::]:8081"}
I0210 23:47:31.731660       1 leaderelection.go:248] attempting to acquire leader lease tor/59806307.k8s.torproject.org...
I0210 23:47:31.739819       1 leaderelection.go:258] successfully acquired lease tor/59806307.k8s.torproject.org
1.6760656517398953e+09  DEBUG   events  Normal  {"object": {"kind":"ConfigMap","namespace":"tor","name":"59806307.k8s.torproject.org","uid":"fbd90cbf-9093-4d01-ac57-b65f7e7f8f99","apiVersion":"v1","resourceVersion":"37451085"}, "reason": "LeaderElection", "message": "controller-tor-controller-9498d848-7rlnf_53a7ea13-44a1-43b6-b95d-2ee8d5aacfe5 became leader"}
1.6760656517399955e+09  DEBUG   events  Normal  {"object": {"kind":"Lease","namespace":"tor","name":"59806307.k8s.torproject.org","uid":"bc0bd139-a8b3-4aad-af0c-e40712e645a2","apiVersion":"coordination.k8s.io/v1","resourceVersion":"37451086"}, "reason": "LeaderElection", "message": "controller-tor-controller-9498d848-7rlnf_53a7ea13-44a1-43b6-b95d-2ee8d5aacfe5 became leader"}
1.676065651740228e+09   INFO    controller.onionservice Starting EventSource    {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "OnionService", "source": "kind source: *v1alpha2.OnionService"}
1.6760656517403154e+09  INFO    controller.onionservice Starting Controller     {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "OnionService"}
1.6760656517404015e+09  INFO    controller.tor  Starting EventSource    {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "Tor", "source": "kind source: *v1alpha2.Tor"}
1.6760656517404346e+09  INFO    controller.tor  Starting Controller     {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "Tor"}
1.6760656517405043e+09  INFO    controller.onionbalancedservice Starting EventSource    {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "OnionBalancedService", "source": "kind source: *v1alpha2.OnionBalancedService"}
1.6760656517405345e+09  INFO    controller.onionbalancedservice Starting Controller     {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "OnionBalancedService"}
1.6760656518420749e+09  INFO    controller.tor  Starting workers        {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "Tor", "worker count": 1}
1.67606565184213e+09    INFO    controller.onionservice Starting workers        {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "OnionService", "worker count": 1}
1.6760656518420577e+09  INFO    controller.onionbalancedservice Starting workers        {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "OnionBalancedService", "worker count": 1}
1.6761279208114672e+09  INFO    controller.onionservice Secret ahmia-onion-secret already exists and is not controller by ahmia-search  {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "OnionService", "name": "ahmia-search", "namespace": "tor"}
1.6761279212766361e+09  ERROR   controller.onionservice Reconciler error        {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "OnionService", "name": "ahmia-search", "namespace": "tor", "error": "Service \"ahmia-search-tor-svc\" is invalid: spec.ports: Required value"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
        /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
        /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227
1.6761279212831628e+09  INFO    controller.onionservice Secret ahmia-onion-secret already exists and is not controller by ahmia-search  {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "OnionService", "name": "ahmia-search", "namespace": "tor"}
1.676127921300338e+09   ERROR   controller.onionservice Reconciler error        {"reconciler group": "tor.k8s.torproject.org", "reconciler kind": "OnionService", "name": "ahmia-search", "namespace": "tor", "error": "Service \"ahmia-search-tor-svc\" is invalid: spec.ports: Required value"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
        /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
        /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227

System (please complete the following information):

• Platform: amd64
• Version 0.1.10 of Chart

Additional context

Values are here

[samip5]

Oh, there is no validating webhook to make sure it's right?

[bugfest]

Hi @samip5, thanks for opening the issue; gonna investigate. The secret and service you're using are in the same namespace? (tor in your example)

[samip5]

Hi @samip5, thanks for opening the issue; gonna investigate. The secret and service you're using are in the same namespace? (tor in your example)

The generated svc and secret are in the same namespace, but my goal is that the backend for the onionservice is not in the same namespace (which doesn't seem supported)...

[bugfest]

Still not sure what's going on; from the log it seems the controller is not able to build the Ports list to create the Service the tor instance will be pointing to: https://github.com/bugfest/tor-controller/blob/0ad0895dc9609cad9e4ef48d6d5223c5d6525b25/controllers/tor/onionservice_service.go#L80

Can you test deploying the example: https://github.com/bugfest/tor-controller/blob/master/hack/sample/echoserver.yaml https://github.com/bugfest/tor-controller/blob/master/hack/sample/onionservice.yaml

And check if the error is reproduced? Also, what k8s version is your affected cluster using?

[samip5]

I think it would be useful to include a validating webhook so that there is no such wierd errors when the manifest is incorrect.

I believe it was the result of not including rules at all eg https://github.com/samip5/k8s-cluster/blob/987bb26aedbbbe7672c80cce0e06f0297a5d5179/cluster/apps/tor/services/ahmia-hidden.yaml (which used api version tor.k8s.torproject.org/v1alpha1) and https://github.com/samip5/k8s-cluster/blob/abc35c15e2c16d7dba61869a35ed960d62284e8d/cluster/apps/tor/services/ahmia-hidden.yaml does work.

[bugfest]

Thanks @samip5. I agree, a webhook to validate those will help. I'll change this one too enhancement and will start working on it.

[samip5]

@bugfest Was this forgotten?

[bugfest]

Hi @samip5, not forgotten but deprioritized; I've been working on other bug fixes and OLM future migration. I'll keep this open so I don't forget about it. Any implementation draft will welcomed via PR. Thanks for your understanding