Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Breaking changes in latest package bundles for credential-provider-package #1024

Open
czomo opened this issue Nov 3, 2023 · 6 comments
Open

Breaking changes in latest package bundles for credential-provider-package #1024

czomo opened this issue Nov 3, 2023 · 6 comments
Assignees
@mitalipaygude
Labels
bug Something isn't working

Comments

@czomo
Copy link

czomo commented Nov 3, 2023
edited

What happened:
Any version of package bundle above v1-27-128 are not usable because of multiple issues. Should we keep those faulty packages in registry? Is there any end2end test that could detect that in future?

v1-27-137	other	7 days ago	 public.ecr.aws/eks-anywhere/...es-bundles:v1-27-137	60.8 KB > doesn't work, image of anywhere-package controller works fine, see log_1
v1-27-134	other	14 days ago	 public.ecr.aws/eks-anywhere/...es-bundles:v1-27-134	60.7 KB > faulty secret, propably because of helm chart
v1-27-130	other	17 days ago	 public.ecr.aws/eks-anywhere/...es-bundles:v1-27-130	60.7 KB > wrong helm app version which causing imagepullbackoff for package controler and refresher, see log_2
v1-27-129	other	17 days ago	 public.ecr.aws/eks-anywhere/...es-bundles:v1-27-129	60.7 KB > wrong helm app version which causing imagepullbackoff for package controler and refresher, see log_2
v1-27-128	other	2 months ago	 public.ecr.aws/eks-anywhere/...es-bundles:v1-27-128 > works fine

log_1

2023-11-02T10:52:24.780Z    ECRCredInjector    Failed to inject ECR credential to docker config    {"error": "operation error ECR: GetAuthorizationToken, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, static credentials are empty"}
github.com/aws/eks-anywhere-packages/pkg/registry.(*ECRCredInjector).Run
    github.com/aws/eks-anywhere-packages/pkg/registry/ecr_cred_injector.go:56

log_2

eksa-packages  eks-anywhere-packages             8        failed    eks-anywhere-packages-0.0.0-8862036270224f2a6b8d6ecd455b6b1fa1084619              v0.0.0-8862036270224f2a6b8d6ecd455b6b1fa1084619

What you expected to happen:
eks-anywhere-packages shouldn't be published with such breaking changes
How to reproduce it (as minimally and precisely as possible):

  1. Using 0.17.4 eks-anywhere install k8s 1.27 using tinkerbell provider
  2. Create eks-anywhere role along with anchor, follow https://anywhere.eks.amazonaws.com/docs/packages/credential-provider-package/iam_roles_anywhere/#prerequisites
  3. Create aws-config secret in eks-packages ns
  [default]
  region = eu-west-1
  credential_process = aws_signing_helper credential-process --certificate /var/lib/kubelet/pki/kubelet-client-current.pem --private-key /var/lib/kubelet/pki/kubelet-client-current.pem --profile-arn $PROFILE_ARN --role-arn $ROLE_ARN --trust-anchor-arn $TRUST_ANCHOR_ARN
  1. Add package to download from private ECR registry
apiVersion: packages.eks.amazonaws.com/v1alpha1
kind: Package
metadata:
  name: my-credential-provider-package
  namespace: eksa-packages-eksa
  annotations:
    "helm.sh/resource-policy": keep
    "anywhere.eks.aws.com/internal": "true"
spec:
  packageName: credential-provider-package
  targetNamespace: eksa-packages
  config: |-
    tolerations:
      - key: "node-role.kubernetes.io/master"
        operator: "Exists"
        effect: "NoSchedule"
      - key: "node-role.kubernetes.io/control-plane"
        operator: "Exists"
        effect: "NoSchedule"
    sourceRegistry: public.ecr.aws/eks-anywhere
    credential:
      - matchImages:
        - 000000000000.dkr.ecr.eu-west-2.amazonaws.com
        profile: "default"
        secretName: aws-config
        defaultCacheDuration: "12h"
  1. Verify you have latest version of packagebundle in packagebundlecontroller
  2. Create pod with image from 000000000000.dkr.ecr.eu-west-2.amazonaws.com registry
  3. ImagePullBackOff should be logged from kubelet

Anything else we need to know?:
We also checked latest v1-28 with k8s 1.28 and it also experience issues the same as v1-27-137

Environment: k8s 1.27, tinker provisioner with bare bone nodes, ubuntu 22.04 ami

  • EKS Anywhere Release: 0.17.4
  • EKS Distro Release: -
@czomo czomo added the bug Something isn't working label Nov 3, 2023
@chrisdoherty4
Copy link
Contributor

Thanks for the report @czomo. We're aware of the problem and will fix asap.

@czomo
Copy link
Author

czomo commented Mar 1, 2024

@chrisdoherty4 Any update from your side? It's not working on v1-27-142 neither of any 1.28-*.

@joeto0
Copy link

joeto0 commented Apr 16, 2024

Is that fixed? We are hitting same behavior with 1.28.7.

@mitalipaygude
Copy link
Member

Can you confirm the OS you are using @joeto0 ? Is it Bottlerocket?

Also, @czomo can you confirm the OS you are using as well? Its Ubuntu right?

@joeto0
Copy link

joeto0 commented Apr 25, 2024 via email

@czomo
Copy link
Author

czomo commented Apr 25, 2024
edited

Also, @czomo can you confirm the OS you are using as well? Its Ubuntu right?

yes, Ubuntu
we find out that in our case faulty was the host Path, as for now we stopped using packages in favour of predefined daemonset
'''
- hostPath:
path: /etc/sysconfig/kubelet
type: FileOrCreate
'''

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mitalipaygude mitalipaygude

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chrisdoherty4 @joeto0 @mitalipaygude @czomo