Running iascable againt an existing cluster terminates okay but with error messages.

Question

Running iascable againt an existing cluster terminates okay but with error messages.

aairom opened this issue 2 years ago · 0 comments

I applied our watson-bom against an empty ROKS cluster (https://github.ibm.com/isv-assets/watson-boms).
Everything seems working fine at the end, but I get a long list of errors related to Tekton.

Warning: Attribute Deprecated
│
│ with module.argocd-bootstrap.module.bootstrap.random_string.suffix,
│ on .terraform/modules/argocd-bootstrap.bootstrap/main.tf line 12, in resource "random_string" "suffix":
│ 12: number = true
│
│ NOTE: This is deprecated, use numeric instead.
│
│ (and 6 more similar warnings elsewhere)
╵
╷
│ Error: local-exec provisioner error
│
│ with module.argocd-bootstrap.module.openshift_cicd.module.pipelines.null_resource.tekton_operator_helm,
│ on .terraform/modules/argocd-bootstrap.openshift_cicd.pipelines/main.tf line 87, in resource "null_resource" "tekton_operator_helm":
│ 87: provisioner "local-exec" {
│
│ Error running command '.terraform/modules/argocd-bootstrap.openshift_cicd.pipelines/scripts/deploy-helm.sh 'openshift-operators' 'tekton'
│ '.terraform/modules/argocd-bootstrap.openshift_cicd.pipelines/chart/tekton'': exit status 1. Output: WARNING: Kubernetes configuration file is group-readable. This is insecure.
│ Location: /terraform/cluster-with-watson-nlp/terraform/.tmp/.kube/config
│ WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /terraform/cluster-with-watson-nlp/terraform/.tmp/.kube/config
│ ---
│ # Source: tekton/charts/tool-config/templates/secret.yaml
│ apiVersion: v1
│ kind: Secret
│ metadata:
│ name: tekton-access
│ namespace: openshift-operators
│ labels:
│ helm.sh/chart: tool-config-0.13.0
│ app: tekton
│ release: "tekton"
│ app.kubernetes.io/part-of: tekton
│ app.kubernetes.io/component: "tools"
│ group: "catalyst-tools"
│ grouping: "garage-cloud-native-toolkit"
│ app.kubernetes.io/name: tekton
│ app.kubernetes.io/instance: "tekton"
│ app.kubernetes.io/version: "1.0"
│ app.kubernetes.io/managed-by: Helm
│ annotations:
│ description: Secret to hold the username and password for tekton so that other components can access it
│ type: Opaque
│ stringData:
│ TEKTON_URL: "https:///k8s/all-namespaces/tekton.dev~~v1alpha1~~Pipeline"
│ url: "https:///k8s/all-namespaces/tekton.dev~~v1alpha1~~Pipeline"
│ ---
│ # Source: tekton/charts/tool-config/templates/config-map.yaml
│ apiVersion: v1
│ kind: ConfigMap
│ metadata:
│ name: tekton-config
│ namespace: openshift-operators
│ labels:
│ console-link.cloud-native-toolkit.dev/enabled: "false"
│ helm.sh/chart: tool-config-0.13.0
│ app: tekton
│ release: "tekton"
│ app.kubernetes.io/part-of: tekton
│ app.kubernetes.io/component: "tools"
│ group: "catalyst-tools"
│ grouping: "garage-cloud-native-toolkit"
│ app.kubernetes.io/name: tekton
│ app.kubernetes.io/instance: "tekton"
│ app.kubernetes.io/version: "1.0"
│ app.kubernetes.io/managed-by: Helm
│ annotations:
│ description: Config map to hold the url for tekton in the environment so that other components can access it
│ console-link.cloud-native-toolkit.dev/section: "Cloud-Native Toolkit"
│ console-link.cloud-native-toolkit.dev/location: ApplicationMenu
│ console-link.cloud-native-toolkit.dev/displayName: Tekton
│ console-link.cloud-native-toolkit.dev/imageUrl: "https://dashboard-tools.aam-eu-gb-2-162e406f043e20da9b0ef0731954a894-0000.eu-gb.containers.appdomain.cloud/tools/icon/tekton"
│ data:
│ url: "https:///k8s/all-namespaces/tekton.dev~~v1alpha1~~Pipeline"
│ TEKTON_URL: "https:///k8s/all-namespaces/tekton.dev~~v1alpha1~~Pipeline"
│ ---
│ # Source: tekton/charts/tekton-operator/templates/subscription.yaml
│ apiVersion: operators.coreos.com/v1alpha1
│ kind: Subscription
│ metadata:
│ name: openshift-pipelines-operator-rh
│ namespace: openshift-operators
│ labels:
│ helm.sh/chart: tekton-operator-0.3.2
│ app.kubernetes.io/name: tekton
│ app.kubernetes.io/instance: tekton
│ app.kubernetes.io/version: "1.18.0"
│ created-by: "tekton-05fcjy6it0t3leg3"
│ app.kubernetes.io/managed-by: Helm
│ spec:
│ channel: stable
│ installPlanApproval: Automatic
│ name: openshift-pipelines-operator-rh
│ source: redhat-operators
│ sourceNamespace: openshift-marketplace
│ ---
│ # Source: tekton/charts/tekton-operator/templates/post-install-hook.yaml
│ apiVersion: v1
│ kind: ServiceAccount
│ metadata:
│ name: tekton-webhook-test
│ labels:
│ helm.sh/chart: tekton-operator-0.3.2
│ app.kubernetes.io/name: tekton
│ app.kubernetes.io/instance: tekton
│ app.kubernetes.io/version: "1.18.0"
│ created-by: "tekton-05fcjy6it0t3leg3"
│ app.kubernetes.io/managed-by: Helm
│ annotations:
│ "helm.sh/hook": post-install,post-upgrade
│ "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
│ ---
│ # Source: tekton/charts/tekton-operator/templates/post-install-hook.yaml
│ apiVersion: batch/v1
│ kind: Job
│ metadata:
│ name: tekton-webhook-test
│ labels:
│ helm.sh/chart: tekton-operator-0.3.2
│ app.kubernetes.io/name: tekton
│ app.kubernetes.io/instance: tekton
│ app.kubernetes.io/version: "1.18.0"
│ created-by: "tekton-05fcjy6it0t3leg3"
│ app.kubernetes.io/managed-by: Helm
│ annotations:
│ "helm.sh/hook": post-install,post-upgrade
│ "helm.sh/hook-delete-policy": before-hook-creation
│ spec:
│ ttlSecondsAfterFinished: 300
│ template:
│ spec:
│ serviceAccountName: tekton-webhook-test
│ initContainers:
│ - name: wait-for-tekton-webhook
│ image: quay.io/ibmgaragecloud/alpine-curl
│ imagePullPolicy: IfNotPresent
│ env:
│ - name: URL
│ value: http://tekton-pipelines-webhook.openshift-pipelines.svc:8080
│ command: ["sh"]
│ args:
│ - "-c"
│ - "count=0; until curl -Iskf ${URL} || [[ $count -eq 20 ]]; do echo ">>> waiting for ${URL}"; sleep 90; count=$((count + 1)); done; if [[ $count -eq 20 ]]; then echo "Timeout"; exit 1; else echo ">>> Started"; fi"
│ containers:
│ - name: tekton-webhook-started
│ image: quay.io/ibmgaragecloud/alpine-curl
│ imagePullPolicy: Always
│ env:
│ - name: URL
│ value: http://tekton-pipelines-webhook.openshift-pipelines.svc:8080
│ command: ["sh"]
│ args:
│ - "-c"
│ - "curl -Iskf ${URL}"
│ restartPolicy: Never
│ backoffLimit: 1
│ WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /terraform/cluster-with-watson-nlp/terraform/.tmp/.kube/config
│ WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /terraform/cluster-with-watson-nlp/terraform/.tmp/.kube/config
│ Release "tekton" does not exist. Installing it now.
│ W1017 13:16:18.101556 12481 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-for-tekton-webhook",
│ "tekton-webhook-started" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-for-tekton-webhook", "tekton-webhook-started"
│ must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-for-tekton-webhook", "tekton-webhook-started" must set
│ securityContext.runAsNonRoot=true), seccompProfile (pod or containers "wait-for-tekton-webhook", "tekton-webhook-started" must set securityContext.seccompProfile.type to
│ "RuntimeDefault" or "Localhost")
│ Error: failed post-install: timed out waiting for the condition