Failing to appy cert-manager-creds.yaml

Question

Failing to appy cert-manager-creds.yaml

Closed this issue 5 years ago · 3 comments

Hey folks,

I'm trying to evaluate this for NLC by installing it on my local machine (Ubuntu). I'm getting the following error when running through the setup:

error: error validating "/tmp/tmp.RUJmDh0Gyn/gsp-cluster/templates/00-aws-auth/cert-manager-crds.yaml": error validating data: ValidationError(CustomResourceDefinition.spec.validation.openAPIV3Schema.properties.spec.properties.solver.properties.dns01.properties.webhook.properties.config): unknown field "x-kubernetes-preserve-unknown-fields" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps; if you choose to ignore these errors, turn validation off with --validate=false

I think I'm possibly missing some AWS config stuff but not sure why that's required for a local instance. I've followed the instructions found on https://github.com/alphagov/gsp/blob/master/docs/gds-supported-platform/getting-started-gsp-local.md with a minor change to gsp-local.sh to run on Linux (vm-driver to kvm2).

Any help would be greatly appreciated.

Answer 1 · 2019-11-08T15:45:50.000Z

Hi,

Looks like this might be specifically related to this issue on cert-manager?

Unfortunately, we're currently in the process of retiring this local implementation of GSP as it turned out that maintaining something that runs outside of AWS had limited utility given GSP relies on a bunch of AWS stuff.

We're currently in the process of replacing this with something that spins up ephemeral clusters within AWS. It should be working now, however, we've not written any documentation around it and it requires having a Concourse running somewhere. I suspect it might make it not particularly useful for you?

Either way, I've just hacked some fixes into this branch which hopefully should spin up a cluster cleanly (I tested it on macOS but I think it should also be fine on Linux).

Sam

Answer 2 · 2019-11-09T13:21:20.000Z

Great! That makes a lot of sense. I can get a bit further in setting up a local cluster but it looks like I might be best setting this up in AWS.

For reference the next issue is:

serviceaccount/istio-init-service-account unchanged
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "attributemanifest" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "attributemanifest" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "instance" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "instance" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "instance" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "instance" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "instance" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "instance" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "instance" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "instance" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "handler" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "rule" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "rule" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "rule" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "rule" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "handler" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "rule" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "rule" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "instance" in version "config.istio.io/v1alpha2"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "DestinationRule" in version "networking.istio.io/v1alpha3"
unable to recognize "/tmp/tmp.vTUXH46VDs/gsp-istio/charts/istio/charts/mixer/templates/config.yaml": no matches for kind "DestinationRule" in version "networking.istio.io/v1alpha3"
💻  [Apply attempt #3] Failed to apply /tmp/tmp.vTUXH46VDs/gsp-istio/. Retrying in 10s...

I there a full set of documentation on how to start setting up GSP on AWS? If not I'm happy to help contribute to that.

I guess this can be closed now.

Answer 3 · 2019-11-11T13:19:01.000Z

There's some kind of eventually consistent application of CRDs going on here. The Istio Helm chart has some jobs which create additional CRDs outside of the kubectl apply of the chart—for a period of time resources that are required won't be available. If you let this run for a bit longer it should successfully converge.

Turns out we do have some documentation for spinning up GSP clusters on AWS but it still relies on a Concourse that is operated by GDS.

I'm not sure if this will be useful for you, but let us know if you'd like any more pointers.