You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by "dpalinic (via GitHub)" <gi...@apache.org> on 2024/02/15 14:07:35 UTC
[I] Can't fetch Kubernetes Secrets - ServiceAccount is set to default instead of karavan [camel-karavan]
dpalinic opened a new issue, #1125:
URL: https://github.com/apache/camel-karavan/issues/1125
**How to reproduce:**
1. Create new integration
2. Create bean and load some value using the Kubernetes Secrets modal
3. Run integration
4. Observe issue below
**Issue:**
`Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.43.0.1:443/api/v1/namespaces/dev/secrets/dev-postgresql. Message: secrets "dev-postgresql" is forbidden: User "system:serviceaccount:dev:default" cannot get resource "secrets" in API group "" in the namespace "dev". Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=null, kind=secrets, name=dev-postgresql, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=secrets "dev-postgresql" is forbidden: User "system:serviceaccount:dev:default" cannot get resource "secrets" in API group "" in the namespace "dev", metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).`
**Notes:**
It looks like ServiceAccount is set to default instead of karavan. We found file in which serviceAccount is defined, but we're not sure if it's anywhere applied. Might be related to that?
File:
karavan-web/karavan-app/src/main/resources/snippets/deployment.jkube.yaml
**Bean example:**
`- beans:
- constructors: {}
name: PostgresqlDeadletterDataSource
properties:
url: jdbc:postgresql://dev-postgresql.dev.svc.cluster.local:5432/smh
username: '{{secret:dev-postgresql-username/username}}'
password: '{{secret:dev-postgresql/password}}'
driverClassName: org.postgresql.Driver
type: org.apache.commons.dbcp2.BasicDataSource`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Can't fetch Kubernetes Secrets - ServiceAccount is set to default instead of karavan [camel-karavan]
Posted by "mgubaidullin (via GitHub)" <gi...@apache.org>.
mgubaidullin commented on issue #1125:
URL: https://github.com/apache/camel-karavan/issues/1125#issuecomment-1946687878
I believe that `karavan.devmode.service.account=karavan` should help
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Can't fetch Kubernetes Secrets - ServiceAccount is set to default instead of karavan [camel-karavan]
Posted by "arheom (via GitHub)" <gi...@apache.org>.
arheom commented on issue #1125:
URL: https://github.com/apache/camel-karavan/issues/1125#issuecomment-1946392505
There are 2 cases:
1. if you use devmode (run from the top right) - then the karavan service account should be used, from my understanding. You might need to update the karavan role, bound to the karavan service account, to allow get and list verbs on the secrets resources. If this is your case, not sure why you have another service account. Maybe karavan.builder.service.account=karavan could be set to the kubernetes-application.properties, but I assume thats for the builder.
2. If you build and deploy, then you need to assign a service account to the deployment. I recommend to create a new service account, and a new role and a new binding, so every integration runs with minimum security to function correctly. This means to add to the project: role.jkube.yaml, rolebinding.jbube.yaml and deployment.jkube.yaml. Then in the deployment to define a new serviceAccountName, which you will bind to a role, like this:
```
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: myServiceAccountName
namespace: myNamespace
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- 'get'
- 'list'
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Can't fetch Kubernetes Secrets - ServiceAccount is set to default instead of karavan [camel-karavan]
Posted by "dpalinic (via GitHub)" <gi...@apache.org>.
dpalinic commented on issue #1125:
URL: https://github.com/apache/camel-karavan/issues/1125#issuecomment-1952289525
Thanks for your inputs @arheom , @mgubaidullin . If I understand correctly, every "integrator" is now responsible to manually create those configuration file as part of their project?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Can't fetch Kubernetes Secrets - ServiceAccount is set to default instead of karavan [camel-karavan]
Posted by "mgubaidullin (via GitHub)" <gi...@apache.org>.
mgubaidullin commented on issue #1125:
URL: https://github.com/apache/camel-karavan/issues/1125#issuecomment-1952495019
This https://github.com/apache/camel-karavan/issues/1125#issuecomment-1946392505 is not correct.
1. To configure service account for devmode/builde the following properties configured for **Karavan** application by setting env variables for karavan deployment, when install Karavan to k8s:
`karavan.devmode.service.account=karavan` for devmode pod
`karavan.builder.service.account=karavan` for builder pod
2. `kubernetes-application.properties` file has nothing to do with that. `kubernetes-application.properties` is a template for `application.properties` file when user create a new project.
3. Integration creates `*.jkube.yaml` fragments to apply project specific k8s resources or configuration. They will be applied during build and deploy process in `builder` pod
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Can't fetch Kubernetes Secrets - ServiceAccount is set to default instead of karavan [camel-karavan]
Posted by "mgubaidullin (via GitHub)" <gi...@apache.org>.
mgubaidullin closed issue #1125: Can't fetch Kubernetes Secrets - ServiceAccount is set to default instead of karavan
URL: https://github.com/apache/camel-karavan/issues/1125
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org