Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to deploy app to OCP with Knative #646

Open
tam512 opened this issue Oct 29, 2024 · 10 comments
Open

Unable to deploy app to OCP with Knative #646

tam512 opened this issue Oct 29, 2024 · 10 comments
Assignees

Comments

@tam512
Copy link

tam512 commented Oct 29, 2024

On Power 9 OCP, installed Open Liberty Operator 1.4.0, install RH Serverless operator and Knative serving using script https://github.ibm.com/websphere/operators/tree/main/scripts/configure-cluster/setup-ocp-cluster.sh -S -K --arch P

  • In the namespace to deploy app, create secret to pull app image from artifactory
oc get secret hyc-secret
NAME         TYPE                             DATA   AGE
hyc-secret   kubernetes.io/dockerconfigjson   1      5h37m
  • Here is my OpenLibetyApplication yaml
apiVersion: apps.openliberty.io/v1
kind: OpenLibertyApplication
metadata:
  name: dt10-olk-java21-kn
  labels:
    app: daytrader10
spec:
  serviceAccount:
    mountToken: true
    name: instanton-sa
  applicationImage: 'my-app-image'
  createKnativeService: true
  expose: true 
  autoscaling:
    maxReplicas: 5
    minReplicas: 1
    targetCPUUtilizationPercentage: 80
  pullPolicy: Always
  pullSecret: hyc-secret
  statefulSet: {}
  service:
    type: ClusterIP
    port: 9080
  route:
    termination: passthrough
  resources:
    limits:
      cpu: 1024m
      memory: 1024Mi
    requests:
      cpu: 512m
      memory: 512Mi
  probes:
    liveness:
      httpGet:
        path: /health
        port: 9080
      failureThreshold: 5
      periodSeconds: 10
    readiness:
      httpGet:
        path: /daytrader
        port: 9080
      failureThreshold: 5
      periodSeconds: 10
  env:
    - name: WLP_LOGGING_CONSOLE_FORMAT
      value: 'simple'
    - name: dbHost
      value: 'app-db2' # DB2 container service.namespace
    - name: dbName
      value: TRADEDB
    - name: dbPort
      value: "50000"
    - name: dbUser
      value: db2inst1
    - name: dbPasswd
      valueFrom:
        secretKeyRef:
          name: db-credential
          key: dbpw
    - name: QueueManager
      value: QM1
    - name: mqHost
      value: app-mq  #use MQ container service.namespace
    - name: mqPasswd
      valueFrom:
        secretKeyRef:
          key: mqpw
          name: mqapp-credential
    - name: httpPort
      value: "9080"
    - name: httpsPort
      value: "9443"
  securityContext:
    allowPrivilegeEscalation: true
    privileged: false
    runAsNonRoot: true
    capabilities:
      add:
      - CHECKPOINT_RESTORE
      - SETPCAP
      drop:
      -  ALL

My app image failed to deployed. I see Authentication is required when describe revision

Events:
  Type     Reason         Age               From                 Message
  ----     ------         ----              ----                 -------
  Warning  InternalError  6s (x4 over 13s)  revision-controller  Unable to fetch image "docker-na-public.artifactory.swg-devops.com/hyc-wassvt-team-image-registry-docker-local/instanton/24.0.0.11/daytrader10-mq:ol-kernel-java21-ppc64le": failed to resolve image to digest: GET https://docker-na-public.artifactory.swg-devops.com/artifactory/api/docker/null/v2/token?scope=repository%3Ahyc-wassvt-team-image-registry-docker-local%2Finstanton%2F24.0.0.11%2Fdaytrader10-mq%3Apull&service=docker-na-public.artifactory.swg-devops.com: : Authentication is required

Check revision and kservice resource and I do not pullSecret in them

@tam512
Copy link
Author

tam512 commented Oct 30, 2024

This is a regression since this worked in Liberty 24.0.0.9

@tam512 tam512 changed the title Unable to deploy app to Power OCP with Knative Unable to deploy app to OCP with Knative Nov 5, 2024
@tam512
Copy link
Author

tam512 commented Nov 5, 2024

This problem is also seen on x86 OCP

@leochr
Copy link
Member

leochr commented Nov 6, 2024

At a glance in the Operator code, I don't see the pull secret from CR being set on Knative workloads (now or before). So I don't believe this is a regression. A global pull secret was likely in place in the clusters where the image pull failure didn't occur in the past. We'll look into setting the pull secret on Knative workloads.

@tam512
Copy link
Author

tam512 commented Nov 6, 2024

Our experience in the past was that we always need to have a pull secret in the namespace of the app even when we have a global pull secret. Knative does not work with global pull secret.

We also have global pull secret in OCP when we saw this problem

@idlewis
Copy link
Member

idlewis commented Dec 4, 2024

@tam512 Your original report says that you saw this issue on Power. Have you also seen the issue on X or is it Power only?

@idlewis
Copy link
Member

idlewis commented Dec 4, 2024

@tam512 Your original report says that you saw this issue on Power. Have you also seen the issue on X or is it Power only?
@tam512 Ah, sorry, just seen your later update. Pls ignore!

@idlewis idlewis self-assigned this Dec 5, 2024
@idlewis
Copy link
Member

idlewis commented Dec 5, 2024

I think this is working as designed.
In CR yaml above, both the pull secret but also the service account name are specified.
For the container image to be pulled, the pull secret has to be added to the service account.
However, the operator doesn't add the pull secret for custom service accounts, it only does this when the operator has created the service account itself. This is not a change in behaviour.
We will look into whether we can support the scenario of 'custom service account and pull secret specifed' in a future release.

For the moment, you can get this scenario to work if you specify the pull secret when you create the custom service account

@leochr
Copy link
Member

leochr commented Dec 16, 2024

@tam512 Please see Iain's response above. The pull secret is specified via the Service Account and Liberty Operator adds the pull secret only if the default service account it manages is used. For custom service accounts, the pull secret should be added by the user. Please try that.

Closing. Please reopen if the suggestion doesn't work.

@leochr leochr closed this as completed Dec 16, 2024
@tam512
Copy link
Author

tam512 commented Jan 23, 2025

@leochr I verified that I can deploy my instantOn app ok with Knative on OCP (Power9) if I create the ServiceAccount with imagePullSecrets

apiVersion: v1
kind: ServiceAccount
metadata:
  name: instanton-sa2
imagePullSecrets:
  - name: myPullSecret

So there are changes between the operator versions we used when testing Liberty InstantOn 24.0.0.9 and 24.0.0.11

  • Operator tested in 24.0.0.9, we used .spec.serviceAccountName in our app deployment yaml
spec:
  serviceAccountName: instanton-sa
  • Operator tested in 24.0.0.11, .spec.serviceAccountName is deprecated per doc so we use .spec.serviceAccount.name
spec:
  serviceAccount:
    name: instanton-sa

When we tested with .spec.serviceAccountName, we did not have to specify imagePullSecrets in the service account when testing with Knative (we just run oc create serviceaccount instanton-sa), and now we do. So that's why I thought this is a regression.

Do we document that for custom service account users need to add pull secret in their custom SA? Do we need to improve serviceability messages since by looking at the below errors I did not know why it broke since I do have spec.pullSecret: hyc-secret in my app OpenLibertyApplication yaml

Unable to fetch image "docker-na-public.artifactory.swg-devops.com/hyc-wassvt-team-image-registry-docker-local/instanton/24.0.0.11/daytrader10-mq:ol-kernel-java21-ppc64le": failed to resolve image to digest: GET https://docker-na-public.artifactory.swg-devops.com/artifactory/api/docker/null/v2/token?scope=repository%3Ahyc-wassvt-team-image-registry-docker-local%2Finstanton%2F24.0.0.11%2Fdaytrader10-mq%3Apull&service=docker-na-public.artifactory.swg-devops.com: : Authentication is required

@tam512 tam512 reopened this Jan 23, 2025
@tam512
Copy link
Author

tam512 commented Jan 23, 2025

@mtamboli fyi ^^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants