devsecops-demo icon indicating copy to clipboard operation
devsecops-demo copied to clipboard

Published 20 hours ago verified publisher icon rcarrata

Few issues with OCP 4.11

Open slallemand opened this issue 2 years ago • 2 comments

Hello,

I tried to deploy this demo on a 4.11 OCP cluster.

Pre-requisites are installed :

$ pip3 list | grep -e kubernetes -e openshift -e jmespath 
jmespath            1.0.1
kubernetes          24.2.0
openshift           0.13.1

$ ansible --version 
ansible [core 2.13.4]
  config file = None
  configured module search path = ['/Users/slallema/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/slallema/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.10.7 (main, Sep 14 2022, 22:38:23) [Clang 14.0.0 (clang-1400.0.29.102)]
  jinja version = 3.1.2
  libyaml = True

I have a first issue with the install.sh phase and the ocp4-post-acs task :

TASK [ocp4-post-acs : Get the secret that contains the token of sa pipeline] ***************************************************************
ok: [localhost] => {"ansible_facts": {"token_sa_pipeline_secret": []}, "changed": false}

TASK [ocp4-post-acs : Get token in the secret for the sa pipeline and decode] **************************************************************
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: list object has no element 0\n\nThe error appears to be in '/Users/slallema/GIT/github.com/slallemand/devsecops-demo/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml': line 68, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Get token in the secret for the sa pipeline and decode\n  ^ here\n"}

PLAY RECAP *********************************************************************************************************************************
localhost                  : ok=70   changed=6    unreachable=0    failed=1    skipped=3    rescued=0    ignored=0

Anyway, i did try to start the pipeline with the ./demo.sh start but the pipeline is failing at the build-image task. I have those errors :

STEP-GEN-ENV-FILE

2022/10/05 13:03:28 warning: unsuccessful cred copy: ".docker" from "/tekton/creds" to "/": unable to create destination directory: mkdir /.docker: permission denied
UID uid=1001(1001) gid=0(root) groups=0(root),1000660000
Generated Env file
------------------------------
MAVEN_CLEAR_REPO=false
MAVEN_MIRROR_URL=http://nexus:8081/repository/maven-public/
------------------------------
STEP-GENERATE

2022/10/05 13:03:29 warning: unsuccessful cred copy: ".docker" from "/tekton/creds" to "/": unable to create destination directory: mkdir /.docker: permission denied
UID uid=1001(1001) gid=0(root) groups=0(root),1000660000 s2i build spring-petclinic/target image-registry.openshift-image-registry.svc:5000/openshift/java:11 --image-scripts-url image:///usr/local/s2i --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-params/env-file
STEP-BUILD

Error: error writing "0 0 4294967295\n" to /proc/29/uid_map: write /proc/29/uid_map: operation not permitted
level=error msg="error writing \"0 0 4294967295\\n\" to /proc/29/uid_map: write /proc/29/uid_map: operation not permitted"
level=error msg="(unable to determine exit status)"
STEP-PUSH-TAG

2022/10/05 13:03:31 Skipping step because a previous step failed
STEP-PUSH-LATEST

2022/10/05 13:03:32 Skipping step because a previous step failed

Could that be relative to the install error ? Any idea on that ?

slallemand avatar Oct 05 '22 13:10 slallemand

Quick update : I tried on a 4.9 cluster without any issue so really shoulb be relative to 4.11

slallemand avatar Oct 06 '22 12:10 slallemand

hi @slallemand, 4.11 of OpenShift uses 1.24 version of k8s where several changes where introduced, such as the deprecation of PSP, and several major changes that affects also to this demo. Works like a charm in versions below 4.11. We'll fix asap this repo in order to make the demo work in all the versions.

Thanks for open the issue!

rcarrata avatar Oct 30 '22 17:10 rcarrata

@rcarrata Just tested on OCP 4.11 cluster provisioned by RHDP (Red Hat Demo Platform) and the install script fails at:

TASK [ocp4-post-acs : Get token in the secret for the sa pipeline and decode] *************************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: list object has no element 0\n\nThe error appears to be in '/Users/username/test-devsecops/devsecops-demo/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml': line 68, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Get token in the secret for the sa pipeline and decode\n  ^ here\n"}

Any idea ? There is no token_sa_pipeline_secret in the cicd namespace but only pipeline-token-xxxx

fduthilleul avatar Jan 18 '23 15:01 fduthilleul

Everything works on the current version of ARO... Thanks

Client Version: 4.12.1 Kustomize Version: v4.5.7 Server Version: 4.10.54 Kubernetes Version: v1.23.12+8a6bfe4

fiiray avatar Apr 29 '23 12:04 fiiray

Any plans to fix this on OCP 4.11+?

waynedovey avatar Jun 22 '23 05:06 waynedovey

I've tested in ARO 4.12 and also in OCP on-prem 4.13 and worked for me without issues. Can you please describe your problem @waynedovey?

rcarrata avatar Jun 29 '23 13:06 rcarrata

fixed and tested with the latest 4.13. Grabbing the pipeline-token directly instead of the pipeline sa.

Closing this issue.

rcarrata avatar Jul 10 '23 22:07 rcarrata