charts icon indicating copy to clipboard operation
charts copied to clipboard
verified publisher icon truecharts

Portainer service account not found

Open razvanphp opened this issue 1 year ago • 5 comments

App Name

Portainer

Operating System

TrueNAS SCALE 23.10.1

App Version

2.19.4

Application Events

History
Related Kubernetes Events
No events are available.

Application Logs

2024-01-13 10:46:52.998831+02:002024/01/13 08:46AM INF main.go:448 > encryption key file not present | filename=portainer
2024-01-13 10:46:52.998888+02:002024/01/13 08:46AM INF main.go:482 > proceeding without encryption key |
2024-01-13 10:46:52.998924+02:002024/01/13 08:46AM INF github.com/portainer/portainer-ee/api/database/boltdb/db.go:125 > loading PortainerDB | filename=portainer.db
2024-01-13 10:46:53.092006+02:002024/01/13 08:46AM INF github.com/portainer/portainer-ee/api/cloud/cluster_setup.go:94 > starting cloud cluster setup service |
2024-01-13 10:46:53.096681+02:002024/01/13 08:46AM INF github.com/portainer/portainer-ee/api/chisel/service.go:198 > Found Chisel private key file on disk | private-key=/data/chisel/private-key.pem
2024-01-13 10:46:53.096804+02:002024/01/13 08:46:53 server: Reverse tunnelling enabled
2024-01-13 10:46:53.096841+02:002024/01/13 08:46:53 server: Fingerprint kIl/lvDSLcZvxlCWqSzBrONLmRmuF+uWrP7Nkj1tjmc=
2024-01-13 10:46:53.097228+02:002024/01/13 08:46:53 server: Listening on http://0.0.0.0:10401
2024-01-13 10:46:53.709191+02:002024/01/13 08:46AM INF main.go:797 > starting Portainer | build_number=35427 go_version=1.20.5 image_tag=linux-amd64-2.19.4 nodejs_version=18.19.0 version=2.19.4 webpack_version=5.88.1 yarn_version=1.22.21
2024-01-13 10:46:53.718614+02:002024/01/13 08:46AM INF github.com/portainer/portainer-ee/api/http/server.go:450 > starting HTTPS server | bind_address=:9443
2024-01-13 11:04:50.788285+02:002024/01/13 09:04:50 server: ignored client connection using protocol '', expected 'chisel-v3'
2024-01-13 11:22:12.375711+02:00{"time":1705137732,"message":"websocketproxy: Error when copying from backend to client: websocket: close 1006 (abnormal closure): unexpected EOF"}
2024-01-13 11:22:21.985017+02:00{"time":1705137741,"message":"websocketproxy: Error when copying from backend to client: websocket: close 1006 (abnormal closure): unexpected EOF"}

Application Configuration

Main Ingress

Enable Ingress

Integrations

Traefik

enabled

certManager

enabled (and working)

Describe the bug

Portainer has a built-in functionality for kubectl shell - in browser. This uses websockets to connect.

With the current app/chart version it does not work, it opens and then closes immediately.

I investigated and found out what the error is:

{"message":"Unable to find serviceaccount associated with user","details":"serviceaccounts \"portainer-sa-clusteradmin\" not found"}

It seems that the configuration of portainer expects this name as serviceaccount name, see also their agent chart installation and oficial chart configuration for serviceAccount.name.

Can we rename the serviceaccount of the chart to match with what portainer expects or make it configurable?

Thank you! R

To Reproduce

Open portainer and click on local k8s cluster and then on >_ kubectl shell

Expected Behavior

Shell works and stays connected on screen.

Screenshots

294873664-23aec20e-aa4d-4aa6-962c-db47e5bea1ab

Additional Context

I thought it's a problem with the websockets headers in traefik, but the same behaviour happens when accessing portainer through the pod app port, so it's unrelated.

I've read and agree with the following

  • [X] I've checked all open and closed issues and my issue is not there.

razvanphp avatar Jan 13 '24 10:01 razvanphp

Even if we update the name of the SA it won't work at least on TN Scale

Portainer can only work correctly when it is deployed in the portainer namespace. And on TN Scale all NS are prefixed with ix-. https://github.com/portainer/portainer/issues/5156#issuecomment-857325863

Given that helm users can change the SA name, this is low prio.

stavros-k avatar Jan 13 '24 15:01 stavros-k

Thank you for the quick answer. What if we could change the config of portainer to assume the SA with name ‘portainer’ instead? I just could’t find the option for this…

also, this name is in the common chart? Or can we add it just for portainer chart? I can try to make it work and send a PR if it’s welcome.

thank you!

razvanphp avatar Jan 13 '24 15:01 razvanphp

Thank you for the quick answer. What if we could change the config of portainer to assume the SA with name ‘portainer’ instead? I just could’t find the option for this…

also, this name is in the common chart? Or can we add it just for portainer chart? I can try to make it work and send a PR if it’s welcome.

thank you!

As the linked comment above says, its all hardcoded currently. Even if the name matches, it will still try to look in the wrong namespace.

The name is in the portainer chart. But with the current design of the naming generation on the common, it would need a "hack".

But backtracking a bit. I just installed portainer to check things up. The fact that it displays namespaces/configmaps/secrets etc, means that it can see and use the ServiceAccount The RBAC is tied to the SA, so without the SA it wouldnt be able to see any of those.

That being said, portainer's examples seem to suggest to use the built-in cluster-admin role. We don't use that but we use a fully open ClusterRole https://github.com/truecharts/charts/blob/0686815ab807921bfe6b47fd0cefa6d6ebbff361/charts/stable/portainer/values.yaml#L27-L34

Which is tied to the service account.

So unless we miss some specific setting, I'm not sure what we should do. And I don't think start changing naming's around is a good idea, unless first the issue is pinpointed.

stavros-k avatar Jan 13 '24 16:01 stavros-k

Ok, I can investigate first and see what change makes it work.

Looking in the source code of portainer, it seems indeed hardcoded, but then... why is it configurable in their helm chart?

https://github.com/portainer/portainer/blob/067a7d148f2a71796420e9a5026d8d876a3fb745/api/kubernetes/cli/naming.go#L9-L12 https://github.com/portainer/portainer/blob/develop/api/kubernetes/cli/service_account.go#L22

if they would allow those to be configurable via CLI, we could override them, right? What other options do we have?

razvanphp avatar Jan 13 '24 19:01 razvanphp

As a workaround, I deployed this via fluxcd to my (k3s / TN Scale) cluster and everything works now, including the shell functionality, even tho portainer is deployed as Truecharts App.

apiVersion: v1
kind: Namespace
metadata:
  name: portainer
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: portainer-sa-clusteradmin
  namespace: portainer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: portainer-crb-clusteradmin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: portainer-sa-clusteradmin
  namespace: portainer
---

razvanphp avatar Jan 13 '24 20:01 razvanphp

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions.

truecharts-admin avatar Jul 12 '24 20:07 truecharts-admin

This issue has been automatically closed due to inactivity. Please re-open if this still requires investigation.

truecharts-admin avatar Jul 26 '24 20:07 truecharts-admin