Constrainttemplates returns 500 on new install
chrisbsmith opened this issue ยท 11 comments
When first loading a new environment for gatekeeper and gatekeeper policy manager, when I browse to /constrainttemplates I receive the following error:
[2021-11-17 22:11:37,619] ERROR: Exception on /constrainttemplates/ [GET]
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2070, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1515, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1513, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1499, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
File "/app/app.py", line 152, in decorated_function
return f(*args, **kwargs)
File "/app/app.py", line 376, in get_constrainttemplates
return render_template(
File "/usr/local/lib/python3.9/site-packages/flask/templating.py", line 147, in render_template
return _render(
File "/usr/local/lib/python3.9/site-packages/flask/templating.py", line 128, in _render
rv = template.render(context)
File "/usr/local/lib/python3.9/site-packages/jinja2/environment.py", line 1304, in render
self.environment.handle_exception()
File "/usr/local/lib/python3.9/site-packages/jinja2/environment.py", line 925, in handle_exception
raise rewrite_traceback_stack(source=source)
File "/app/templates/constrainttemplates.html", line 7, in top-level template code
{% extends "base.html" %}
File "/app/templates/base.html", line 80, in top-level template code
{% block content %}{% endblock %}
File "/app/templates/constrainttemplates.html", line 68, in block 'content'
{% for property, value in constrainttemplate.spec.crd.spec.validation.openAPIV3Schema.properties.items() %}
File "/usr/local/lib/python3.9/site-packages/jinja2/environment.py", line 474, in getattr
return getattr(obj, attribute)
jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'properties'
Even after loading a few constraint templates, I still have the same error.
I do have valid information on the /constraints page however.
I'm running the following in minikube:
openpolicyagent/gatekeeper:v3.5.2quay.io/sighup/gatekeeper-policy-manager:v0.5.0
Minkube version
Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.2", GitCommit:"8b5a19147530eaac9476b0ab82980b4088bbc1b2", GitTreeState:"clean", BuildDate:"2021-09-15T21:31:32Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"clean", BuildDate:"2021-06-22T04:47:11Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}
Hi @chrisbsmith ! any chance of getting a sample of the templates you are using?
Even though I get what is failing and a fix, I'm curious to understand how you got into that situation. I would like to replicate it locally.
Thanks!
Hi @ralgozino , thanks for looking into this more.
I deployed GPM using the code from this repo, which I know isn't your helm chart. I got to the repo from this blog.
In short, this is the template that I used to install.
When I installed with kubectl apply -k . from the root of this repo I got the same error.
I'm happy to do any more debugging if you need more. Thanks again!
Thanks for the details @chrisbsmith
I've deployed GPM v0.5.0 from our official manifests and then deployed the constraint templates from the repo you linked and I can't replicate the error:
All the constraint templates are visible.
The error you are getting is triggered by a constraint template having a defined field spec.crd.spec.validation, but none of the ones linked seems to have it.
You can see that we are checking for that field before trying to show the parameters here in this line. But somehow the constraint templates in your cluster have an empty or badly-formed spec.crd.spec.validation field, that triggers the error. I wonder why though.
I have pushed a little modification to consider this edge case, could you please try changing to the unstable tag for gatekeeper-policy-manager docker image and tell me if now it works for you?
Thanks!
Thanks for the quick turnaround @ralgozino! Your update seems to have resolved the issue I was seeing.
Now, when I remove all the templates, I get the following screen
And when I add templates back in, I get the same screen as the one you pasted above.
awesome! thanks for the feedback @chrisbsmith !
I'll go ahead and close the issue. Feel free to let us know if you find any other issue or send us your suggestions :-)
Any idea @ralgozino when the change will get incorporated into a release?
No ETA, we cut a new release when we have some "substance".
Right now this is the first bugfix and we have only updated some minor dependencies so I don't think we'll do one "soon"
Makes sense. I'll stick to the unstable tag for now while we're evaluating and watch for release updates.
Thanks again!
@ralgozino I just found this thread and was able to resolve the same issue by pulling the unstable image.
I am using constraint templates directly from https://github.com/open-policy-agent/gatekeeper-library
Would you please consider releasing a patch with this fix?
I'd like to use your tool , but cannot continue using an "unstable" image in my org.
Thank you!
--
PS - sorry for posting on the wrong issue before.... I reactivated my GH to post and got lost in tabs...
Hi @almynamswertakn
Could you please tell me what version of Gatekeeper are you using? I could not replicate the problem even with GPM v0.5.0
@chrisbsmith @almynamswertakn FYI: we've just released v0.5.1 that includes this bugfix.
Let us know if you find any other issue :)