Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gateway-resources service account missing imagePullSecrets #3862

Open
VladAlexF opened this issue Apr 3, 2024 · 2 comments
Open

gateway-resources service account missing imagePullSecrets #3862

VladAlexF opened this issue Apr 3, 2024 · 2 comments
Labels
type/bug Something isn't working

Comments

@VladAlexF
Copy link

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

consul-k8s/charts/consul/templates/gateway-resources-serviceaccount.yaml is missing imagePullSecrets, which breaks the usage of private docker registries, as the Gateway Resources Job cannot pull the consul-k8s-control-plane image from private registries without these secrets.
Note, other service accounts do include the imagePullSecrets, and therefore other pods can successfully pull from the private registry.

Reproduction Steps

  1. Run a helm install with the following values.yaml file:
global:
  imagePullSecrets: 
    - name: private-registry-pull-secret
  imageConsulDataplane: <private-dockerhub-proxy-cache>.com/dockerhub/hashicorp/consul-dataplane:latest
  imageK8S: <private-dockerhub-proxy-cache>.com/dockerhub/hashicorp/consul-k8s-control-plane:latest
  image: <private-dockerhub-proxy-cache>.com/dockerhub/hashicorp/consul:latest
  1. The <release-name>-gateway-resources job cannot launch containers, as it cannot pull the image from the private registry, due to missing imagePullSecrets on the service account the job uses.

Logs

The container cannot produce logs as it doesn't start, so kubernetes events for the pod from command kubectl -n consul describe pod consul-gateway-resources-2fz5z are provided:

Events:
  Type     Reason     Age                    From               Message
  ----     ------     ----                   ----               -------
  Normal   Scheduled  53m                    default-scheduler  Successfully assigned consul/consul-gateway-resources-2fz5z to k8s05
  Normal   Pulling    52m (x4 over 53m)      kubelet            Pulling image "<private-registry>.com/dockerhub/hashicorp/consul-k8s-control-plane:latest"
  Warning  Failed     52m (x4 over 53m)      kubelet            Failed to pull image "<private-registry>.com/dockerhub/hashicorp/consul-k8s-control-plane:latest": failed to pull and unpack image "<private-registry>.com/dockerhub/hashicorp/consul-k8s-control-plane:latest": failed to resolve reference "<private-registry>.com/dockerhub/hashicorp/consul-k8s-control-plane:latest": pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials
  Warning  Failed     52m (x4 over 53m)      kubelet            Error: ErrImagePull
  Warning  Failed     51m (x6 over 53m)      kubelet            Error: ImagePullBackOff
  Normal   BackOff    3m24s (x218 over 53m)  kubelet            Back-off pulling image "<private-registry>.com/dockerhub/hashicorp/consul-k8s-control-plane:latest"

Expected behavior

The helm install can successfully pull images from the private registry, and run the gateway-resources job.

Environment details

  • Kubernetes version: v1.29.3
  • Cluster: Self-hosted, built using kubeadm
@VladAlexF VladAlexF added the type/bug Something isn't working label Apr 3, 2024
@pawellegowski89
Copy link

pawellegowski89 commented Apr 24, 2024
edited

+1

@pawellegowski89
Copy link

pawellegowski89 commented Apr 25, 2024
edited

Additionally, a similar problem occurs after adding the CR API Gateway if we have images in a private registry:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: api-gateway
  namespace: consul
spec:
  gatewayClassName: consul
  listeners:
  ...

Once you add it, it creates itself
ServiceAccount and deployment pointing to the ServiceAccount that invokes the pods of a given API Gateway. In the above ServiceAccount is also missing imagePullSecrets

Init Container (consul-connect-inject-init) can't pull image from private registry.

Init Containers:
  consul-connect-inject-init:
    Container ID:
    Image:         <private-registry>/consul-k8s-control-plane:1.4.1
    Image ID:
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/sh
      -ec
      consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \
        -gateway-kind="api-gateway" \
        -log-json=false \
        -service-account-name="my-own-api-gateway" \
        -service-name="my-own-api-gateway"
    State:          Waiting
      Reason:       ImagePullBackOff
    Ready:          False

ServiceAccount -service-account-name="my-own-api-gateway" does not contain imagePullSecrets

Affected version consul chart: 1.18.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@VladAlexF @pawellegowski89