Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(chart): comply with Pod Security Standards #3689

Merged
merged 4 commits into from
Jun 17, 2023
Merged

feat(chart): comply with Pod Security Standards #3689

merged 4 commits into from
Jun 17, 2023

Conversation

nrvnrvn
Copy link
Contributor

@nrvnrvn nrvnrvn commented Jun 15, 2023

Description

Fixes #3688

Checklist

  • Unit tests updated
  • End user documentation updated

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 15, 2023
@k8s-ci-robot
Copy link
Contributor

Welcome @nrvnrvn!

It looks like this is your first PR to kubernetes-sigs/external-dns 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/external-dns has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jun 15, 2023
stevehipwell
stevehipwell suggested changes Jun 15, 2023
View reviewed changes
Copy link
Contributor

@stevehipwell stevehipwell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @nrvnrvn. Could you add this to the chart CHANGELOG?

@nrvnrvn
Copy link
Contributor Author

nrvnrvn commented Jun 15, 2023

@stevehipwell updated the changelog.

@stevehipwell
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Jun 15, 2023
@stevehipwell
Copy link
Contributor

@nrvnrvn the workflow to enable workflows on this PR is currently broken (see #3691) so the PR above needs merging for you to rebase onto or we need a repo maintainer to approve them manually.

@stevehipwell
Copy link
Contributor

@nrvnrvn if you rebase onto master we should be able to enable the workflows.

@nrvnrvn
Copy link
Contributor Author

nrvnrvn commented Jun 15, 2023

@stevehipwell synced with master. Let me know if I need to squash commits to make it look cleaner.

@stevehipwell
Copy link
Contributor

@nrvnrvn the automation is working correctly but it looks like the code change doesn't work?

@nrvnrvn
Copy link
Contributor Author

nrvnrvn commented Jun 15, 2023

hmm.. I am trying to compare with the previous successful lint-test job https://github.com/kubernetes-sigs/external-dns/actions/runs/4810641872/jobs/8563541759. Not sure why failed installing charts: failed processing charts

@stevehipwell
Copy link
Contributor

Have you tested your changes locally on a Kind cluster?

@nrvnrvn
Copy link
Contributor Author

nrvnrvn commented Jun 15, 2023

I have tested it on a live cluster manually applying the changes in the security context and via helm install locally. Now getting my head around ct to understand how it works and what could go wrong.

@nrvnrvn
Copy link
Contributor Author

nrvnrvn commented Jun 15, 2023

@stevehipwell jfyi: ct install exits 0 with chart 1.12.2 but fails with 1.13.0. See below:

`git checkout external-dns-helm-chart-1.12.2` 
❯ ct install --chart-dirs ./charts/external-dns --charts ./charts/external-dns --debug
Installing charts...
Version increment checking disabled.
>>> helm version --template {{ .Version }}

------------------------------------------------------------------------------------------------------------------------
 Charts to be processed:
------------------------------------------------------------------------------------------------------------------------
 external-dns => (version: "1.12.2", path: "./charts/external-dns")
------------------------------------------------------------------------------------------------------------------------

>>> helm dependency build ./charts/external-dns
Installing chart "external-dns => (version: \"1.12.2\", path: \"./charts/external-dns\")"...
Creating namespace "external-dns-2fid7ftg1f"...
>>> kubectl --request-timeout=30s create namespace external-dns-2fid7ftg1f
namespace/external-dns-2fid7ftg1f created
>>> helm install external-dns-2fid7ftg1f ./charts/external-dns --namespace external-dns-2fid7ftg1f --wait
NAME: external-dns-2fid7ftg1f
LAST DEPLOYED: Fri Jun 16 00:26:39 2023
NAMESPACE: external-dns-2fid7ftg1f
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
***********************************************************************
* External DNS                                                        *
***********************************************************************
  Chart version: 1.12.2
  App version:   0.13.4
  Image tag:     registry.k8s.io/external-dns/external-dns:v0.13.4
***********************************************************************
>>> kubectl --request-timeout=30s get deployments --namespace external-dns-2fid7ftg1f --selector  --output jsonpath={.items[*].metadata.name}
>>> kubectl --request-timeout=30s rollout status deployment external-dns-2fid7ftg1f --namespace external-dns-2fid7ftg1f
deployment "external-dns-2fid7ftg1f" successfully rolled out
>>> kubectl --request-timeout=30s get deployment external-dns-2fid7ftg1f --namespace external-dns-2fid7ftg1f --output jsonpath={.status.unavailableReplicas}
>>> helm test external-dns-2fid7ftg1f --namespace external-dns-2fid7ftg1f
NAME: external-dns-2fid7ftg1f
LAST DEPLOYED: Fri Jun 16 00:26:39 2023
NAMESPACE: external-dns-2fid7ftg1f
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
***********************************************************************
* External DNS                                                        *
***********************************************************************
  Chart version: 1.12.2
  App version:   0.13.4
  Image tag:     registry.k8s.io/external-dns/external-dns:v0.13.4
***********************************************************************
========================================================================================================================
........................................................................................................................
==> Events of namespace external-dns-2fid7ftg1f
........................................................................................................................
>>> kubectl --request-timeout=30s get events --output wide --namespace external-dns-2fid7ftg1f
LAST SEEN   TYPE     REASON              OBJECT                                          SUBOBJECT                       SOURCE                                        MESSAGE                                                                                            FIRST SEEN   COUNT   NAME
12s         Normal   ScalingReplicaSet   deployment/external-dns-2fid7ftg1f                                              deployment-controller                         Scaled up replica set external-dns-2fid7ftg1f-7c69576468 to 1                                      12s          1       external-dns-2fid7ftg1f.1768eef5a88e4a26
12s         Normal   SuccessfulCreate    replicaset/external-dns-2fid7ftg1f-7c69576468                                   replicaset-controller                         Created pod: external-dns-2fid7ftg1f-7c69576468-f9cjq                                              12s          1       external-dns-2fid7ftg1f-7c69576468.1768eef5a9288469
12s         Normal   Scheduled           pod/external-dns-2fid7ftg1f-7c69576468-f9cjq                                    default-scheduler, default-scheduler-colima   Successfully assigned external-dns-2fid7ftg1f/external-dns-2fid7ftg1f-7c69576468-f9cjq to colima   12s          1       external-dns-2fid7ftg1f-7c69576468-f9cjq.1768eef5a98ad655
12s         Normal   Pulled              pod/external-dns-2fid7ftg1f-7c69576468-f9cjq    spec.containers{external-dns}   kubelet, colima                               Container image "registry.k8s.io/external-dns/external-dns:v0.13.4" already present on machine     12s          1       external-dns-2fid7ftg1f-7c69576468-f9cjq.1768eef5c63fe99d
12s         Normal   Created             pod/external-dns-2fid7ftg1f-7c69576468-f9cjq    spec.containers{external-dns}   kubelet, colima                               Created container external-dns                                                                     12s          1       external-dns-2fid7ftg1f-7c69576468-f9cjq.1768eef5c69c8934
12s         Normal   Started             pod/external-dns-2fid7ftg1f-7c69576468-f9cjq    spec.containers{external-dns}   kubelet, colima                               Started container external-dns                                                                     12s          1       external-dns-2fid7ftg1f-7c69576468-f9cjq.1768eef5c8f0eb31
........................................................................................................................
<== Events of namespace external-dns-2fid7ftg1f
........................................................................................................................
>>> kubectl --request-timeout=30s get pods --no-headers --namespace external-dns-2fid7ftg1f --selector  --output jsonpath={.items[*].metadata.name}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==> Description of pod external-dns-2fid7ftg1f-7c69576468-f9cjq
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> kubectl --request-timeout=30s describe pod external-dns-2fid7ftg1f-7c69576468-f9cjq --namespace external-dns-2fid7ftg1f
Name:             external-dns-2fid7ftg1f-7c69576468-f9cjq
Namespace:        external-dns-2fid7ftg1f
Priority:         0
Service Account:  external-dns-2fid7ftg1f
Node:             colima/192.168.5.1
Start Time:       Fri, 16 Jun 2023 00:26:39 +0400
Labels:           app.kubernetes.io/instance=external-dns-2fid7ftg1f
                  app.kubernetes.io/name=external-dns
                  pod-template-hash=7c69576468
Annotations:      <none>
Status:           Running
IP:               10.42.0.17
IPs:
  IP:           10.42.0.17
Controlled By:  ReplicaSet/external-dns-2fid7ftg1f-7c69576468
Containers:
  external-dns:
    Container ID:  containerd://00166c4f4c3f3af1239a43fe5dcbb252bb9ea98fcac749d09564ccd30d6af9fb
    Image:         registry.k8s.io/external-dns/external-dns:v0.13.4
    Image ID:      registry.k8s.io/external-dns/external-dns@sha256:b1ee7b829bd4c8bc5fbae0e4671cc423304a5a4c8228dc13e2c961c1e5eb90e4
    Port:          7979/TCP
    Host Port:     0/TCP
    Args:
      --log-level=info
      --log-format=text
      --interval=1m
      --source=service
      --source=ingress
      --policy=upsert-only
      --registry=txt
      --provider=aws
    State:          Running
      Started:      Fri, 16 Jun 2023 00:26:39 +0400
    Ready:          True
    Restart Count:  0
    Liveness:       http-get http://:http/healthz delay=10s timeout=5s period=10s #success=1 #failure=2
    Readiness:      http-get http://:http/healthz delay=5s timeout=5s period=10s #success=1 #failure=6
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-lmnx7 (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  kube-api-access-lmnx7:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  12s   default-scheduler  Successfully assigned external-dns-2fid7ftg1f/external-dns-2fid7ftg1f-7c69576468-f9cjq to colima
  Normal  Pulled     12s   kubelet            Container image "registry.k8s.io/external-dns/external-dns:v0.13.4" already present on machine
  Normal  Created    12s   kubelet            Created container external-dns
  Normal  Started    12s   kubelet            Started container external-dns
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<== Description of pod external-dns-2fid7ftg1f-7c69576468-f9cjq
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> kubectl --request-timeout=30s get pods external-dns-2fid7ftg1f-7c69576468-f9cjq --no-headers --namespace external-dns-2fid7ftg1f --output jsonpath={.spec.initContainers[*].name}
>>> kubectl --request-timeout=30s get pods external-dns-2fid7ftg1f-7c69576468-f9cjq --no-headers --namespace external-dns-2fid7ftg1f --output jsonpath={.spec.containers[*].name}
------------------------------------------------------------------------------------------------------------------------
==> Logs of container external-dns-2fid7ftg1f-7c69576468-f9cjq
------------------------------------------------------------------------------------------------------------------------
>>> kubectl --request-timeout=30s logs external-dns-2fid7ftg1f-7c69576468-f9cjq --namespace external-dns-2fid7ftg1f --container external-dns
time="2023-06-15T20:26:39Z" level=info msg="config: {APIServerURL: KubeConfig: RequestTimeout:30s DefaultTargets:[] ContourLoadBalancerService:heptio-contour/contour GlooNamespace:gloo-system SkipperRouteGroupVersion:zalando.org/v1 Sources:[service ingress] Namespace: AnnotationFilter: LabelFilter: FQDNTemplate: CombineFQDNAndAnnotation:false IgnoreHostnameAnnotation:false IgnoreIngressTLSSpec:false IgnoreIngressRulesSpec:false GatewayNamespace: GatewayLabelFilter: Compatibility: PublishInternal:false PublishHostIP:false AlwaysPublishNotReadyAddresses:false ConnectorSourceServer:localhost:8080 Provider:aws GoogleProject: GoogleBatchChangeSize:1000 GoogleBatchChangeInterval:1s GoogleZoneVisibility: DomainFilter:[] ExcludeDomains:[] RegexDomainFilter: RegexDomainExclusion: ZoneNameFilter:[] ZoneIDFilter:[] TargetNetFilter:[] ExcludeTargetNets:[] AlibabaCloudConfigFile:/etc/kubernetes/alibaba-cloud.json AlibabaCloudZoneType: AWSZoneType: AWSZoneTagFilter:[] AWSAssumeRole: AWSAssumeRoleExternalID: AWSBatchChangeSize:1000 AWSBatchChangeInterval:1s AWSEvaluateTargetHealth:true AWSAPIRetries:3 AWSPreferCNAME:false AWSZoneCacheDuration:0s AWSSDServiceCleanup:false AzureConfigFile:/etc/kubernetes/azure.json AzureResourceGroup: AzureSubscriptionID: AzureUserAssignedIdentityClientID: BluecatDNSConfiguration: BluecatConfigFile:/etc/kubernetes/bluecat.json BluecatDNSView: BluecatGatewayHost: BluecatRootZone: BluecatDNSServerName: BluecatDNSDeployType:no-deploy BluecatSkipTLSVerify:false CloudflareProxied:false CloudflareDNSRecordsPerPage:100 CoreDNSPrefix:/skydns/ RcodezeroTXTEncrypt:false AkamaiServiceConsumerDomain: AkamaiClientToken: AkamaiClientSecret: AkamaiAccessToken: AkamaiEdgercPath: AkamaiEdgercSection: InfobloxGridHost: InfobloxWapiPort:443 InfobloxWapiUsername:admin InfobloxWapiPassword: InfobloxWapiVersion:2.3.1 InfobloxSSLVerify:true InfobloxView: InfobloxMaxResults:0 InfobloxFQDNRegEx: InfobloxNameRegEx: InfobloxCreatePTR:false InfobloxCacheDuration:0 DynCustomerName: DynUsername: DynPassword: DynMinTTLSeconds:0 OCIConfigFile:/etc/kubernetes/oci.yaml InMemoryZones:[] OVHEndpoint:ovh-eu OVHApiRateLimit:20 PDNSServer:http://localhost:8081 PDNSAPIKey: PDNSTLSEnabled:false TLSCA: TLSClientCert: TLSClientCertKey: Policy:upsert-only Registry:txt TXTOwnerID:default TXTPrefix: TXTSuffix: Interval:1m0s MinEventSyncInterval:5s Once:false DryRun:false UpdateEvents:false LogFormat:text MetricsAddress::7979 LogLevel:info TXTCacheInterval:0s TXTWildcardReplacement: ExoscaleEndpoint:https://api.exoscale.ch/dns ExoscaleAPIKey: ExoscaleAPISecret: CRDSourceAPIVersion:externaldns.k8s.io/v1alpha1 CRDSourceKind:DNSEndpoint ServiceTypeFilter:[] CFAPIEndpoint: CFUsername: CFPassword: RFC2136Host: RFC2136Port:0 RFC2136Zone: RFC2136Insecure:false RFC2136GSSTSIG:false RFC2136KerberosRealm: RFC2136KerberosUsername: RFC2136KerberosPassword: RFC2136TSIGKeyName: RFC2136TSIGSecret: RFC2136TSIGSecretAlg: RFC2136TAXFR:false RFC2136MinTTL:0s RFC2136BatchChangeSize:50 NS1Endpoint: NS1IgnoreSSL:false NS1MinTTLSeconds:0 TransIPAccountName: TransIPPrivateKeyFile: DigitalOceanAPIPageSize:50 ManagedDNSRecordTypes:[A CNAME] GoDaddyAPIKey: GoDaddySecretKey: GoDaddyTTL:0 GoDaddyOTE:false OCPRouterName: IBMCloudProxied:false IBMCloudConfigFile:/etc/kubernetes/ibmcloud.json TencentCloudConfigFile:/etc/kubernetes/tencent-cloud.json TencentCloudZoneType: PiholeServer: PiholePassword: PiholeTLSInsecureSkipVerify:false PluralCluster: PluralProvider:}"
time="2023-06-15T20:26:39Z" level=info msg="Instantiating new Kubernetes client"
time="2023-06-15T20:26:39Z" level=info msg="Using inCluster-config based on serviceaccount-token"
time="2023-06-15T20:26:39Z" level=info msg="Created Kubernetes client https://10.43.0.1:443"
time="2023-06-15T20:26:40Z" level=error msg="records retrieval failed: failed to list hosted zones: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors"
------------------------------------------------------------------------------------------------------------------------
<== Logs of container external-dns-2fid7ftg1f-7c69576468-f9cjq
------------------------------------------------------------------------------------------------------------------------
========================================================================================================================
Deleting release "external-dns-2fid7ftg1f"...
>>> helm uninstall external-dns-2fid7ftg1f --namespace external-dns-2fid7ftg1f
release "external-dns-2fid7ftg1f" uninstalled
Deleting namespace "external-dns-2fid7ftg1f"...
>>> kubectl --request-timeout=30s delete namespace external-dns-2fid7ftg1f --timeout 180s
namespace "external-dns-2fid7ftg1f" deleted
>>> kubectl --request-timeout=30s get namespace external-dns-2fid7ftg1f
Namespace "external-dns-2fid7ftg1f" terminated.
------------------------------------------------------------------------------------------------------------------------
 ✔︎ external-dns => (version: "1.12.2", path: "./charts/external-dns")
------------------------------------------------------------------------------------------------------------------------
All charts installed successfully
`git checkout external-dns-helm-chart-1.13.0` 
❯ ct install --chart-dirs ./charts/external-dns --charts ./charts/external-dns --debug
Installing charts...
Version increment checking disabled.
>>> helm version --template {{ .Version }}

------------------------------------------------------------------------------------------------------------------------
 Charts to be processed:
------------------------------------------------------------------------------------------------------------------------
 external-dns => (version: "1.13.0", path: "./charts/external-dns")
------------------------------------------------------------------------------------------------------------------------

>>> helm dependency build ./charts/external-dns
Installing chart "external-dns => (version: \"1.13.0\", path: \"./charts/external-dns\")"...
Creating namespace "external-dns-l89vv23uwf"...
>>> kubectl --request-timeout=30s create namespace external-dns-l89vv23uwf
namespace/external-dns-l89vv23uwf created
>>> helm install external-dns-l89vv23uwf ./charts/external-dns --namespace external-dns-l89vv23uwf --wait
Error: INSTALLATION FAILED: context deadline exceeded
========================================================================================================================
........................................................................................................................
==> Events of namespace external-dns-l89vv23uwf
........................................................................................................................
>>> kubectl --request-timeout=30s get events --output wide --namespace external-dns-l89vv23uwf
LAST SEEN   TYPE      REASON              OBJECT                                         SUBOBJECT                       SOURCE                                        MESSAGE                                                                                                                                                          FIRST SEEN   COUNT   NAME
........................................................................................................................
<== Events of namespace external-dns-l89vv23uwf
........................................................................................................................
>>> kubectl --request-timeout=30s get pods --no-headers --namespace external-dns-l89vv23uwf --selector  --output jsonpath={.items[*].metadata.name}
5m1s        Normal    ScalingReplicaSet   deployment/external-dns-l89vv23uwf                                             deployment-controller                         Scaled up replica set external-dns-l89vv23uwf-cf96c6db7 to 1                                                                                                     5m1s         1       external-dns-l89vv23uwf.1768ef13208c84c2
5m1s        Normal    SuccessfulCreate    replicaset/external-dns-l89vv23uwf-cf96c6db7                                   replicaset-controller                         Created pod: external-dns-l89vv23uwf-cf96c6db7-8mw87                                                                                                             5m1s         1       external-dns-l89vv23uwf-cf96c6db7.1768ef13215208b9
5m          Normal    Scheduled           pod/external-dns-l89vv23uwf-cf96c6db7-8mw87                                    default-scheduler, default-scheduler-colima   Successfully assigned external-dns-l89vv23uwf/external-dns-l89vv23uwf-cf96c6db7-8mw87 to colima
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==> Description of pod external-dns-l89vv23uwf-cf96c6db7-8mw87
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> kubectl --request-timeout=30s describe pod external-dns-l89vv23uwf-cf96c6db7-8mw87 --namespace external-dns-l89vv23uwf
Name:             external-dns-l89vv23uwf-cf96c6db7-8mw87
Namespace:        external-dns-l89vv23uwf
Priority:         0
Service Account:  external-dns-l89vv23uwf
Node:             colima/192.168.5.1
Start Time:       Fri, 16 Jun 2023 00:28:45 +0400
Labels:           app.kubernetes.io/instance=external-dns-l89vv23uwf
                  app.kubernetes.io/name=external-dns
                  pod-template-hash=cf96c6db7
Annotations:      <none>
Status:           Running
IP:               10.42.0.18
IPs:
  IP:           10.42.0.18
Controlled By:  ReplicaSet/external-dns-l89vv23uwf-cf96c6db7
Containers:
  external-dns:
    Container ID:  containerd://b44a5cccb85faa315c00fe85c8bda5912dd48aa9df40b38830c26be061f17ef1
    Image:         registry.k8s.io/external-dns/external-dns:v0.13.5
    Image ID:      registry.k8s.io/external-dns/external-dns@sha256:974dc3010624a7a8135f6ced78b3a7191eddbd511916ea7df5a392d68616ab59
    Port:          7979/TCP
    Host Port:     0/TCP
    Args:
      --log-level=info
      --log-format=text
      --interval=1m
      --source=service
      --source=ingress
      --policy=upsert-only
      --registry=txt
      --provider=aws
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Fri, 16 Jun 2023 00:32:07 +0400
      Finished:     Fri, 16 Jun 2023 00:32:08 +0400
    Ready:          False
    Restart Count:  5
    Liveness:       http-get http://:http/healthz delay=10s timeout=5s period=10s #success=1 #failure=2
    Readiness:      http-get http://:http/healthz delay=5s timeout=5s period=10s #success=1 #failure=6
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-78wxc (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  kube-api-access-78wxc:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                     From               Message
  ----     ------     ----                    ----               -------
  Normal   Scheduled  5m                      default-scheduler  Successfully assigned external-dns-l89vv23uwf/external-dns-l89vv23uwf-cf96c6db7-8mw87 to colima
  Normal   Pulled     4m5s (x4 over 5m)       kubelet            Container image "registry.k8s.io/external-dns/external-dns:v0.13.5" already present on machine
  Normal   Created    4m5s (x4 over 5m)       kubelet            Created container external-dns
  Normal   Started    4m5s (x4 over 5m)       kubelet            Started container external-dns
  Warning  BackOff    3m24s (x13 over 4m57s)  kubelet            Back-off restarting failed container external-dns in pod external-dns-l89vv23uwf-cf96c6db7-8mw87_external-dns-l89vv23uwf(cab06d7c-8292-4f49-be39-8dd4247e2b02)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<== Description of pod external-dns-l89vv23uwf-cf96c6db7-8mw87
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> kubectl --request-timeout=30s get pods external-dns-l89vv23uwf-cf96c6db7-8mw87 --no-headers --namespace external-dns-l89vv23uwf --output jsonpath={.spec.initContainers[*].name}
>>> kubectl --request-timeout=30s get pods external-dns-l89vv23uwf-cf96c6db7-8mw87 --no-headers --namespace external-dns-l89vv23uwf --output jsonpath={.spec.containers[*].name}
------------------------------------------------------------------------------------------------------------------------
==> Logs of container external-dns-l89vv23uwf-cf96c6db7-8mw87
------------------------------------------------------------------------------------------------------------------------
>>> kubectl --request-timeout=30s logs external-dns-l89vv23uwf-cf96c6db7-8mw87 --namespace external-dns-l89vv23uwf --container external-dns
time="2023-06-15T20:32:07Z" level=info msg="config: {APIServerURL: KubeConfig: RequestTimeout:30s DefaultTargets:[] ContourLoadBalancerService:heptio-contour/contour GlooNamespace:gloo-system SkipperRouteGroupVersion:zalando.org/v1 Sources:[service ingress] Namespace: AnnotationFilter: LabelFilter: IngressClassNames:[] FQDNTemplate: CombineFQDNAndAnnotation:false IgnoreHostnameAnnotation:false IgnoreIngressTLSSpec:false IgnoreIngressRulesSpec:false GatewayNamespace: GatewayLabelFilter: Compatibility: PublishInternal:false PublishHostIP:false AlwaysPublishNotReadyAddresses:false ConnectorSourceServer:localhost:8080 Provider:aws GoogleProject: GoogleBatchChangeSize:1000 GoogleBatchChangeInterval:1s GoogleZoneVisibility: DomainFilter:[] ExcludeDomains:[] RegexDomainFilter: RegexDomainExclusion: ZoneNameFilter:[] ZoneIDFilter:[] TargetNetFilter:[] ExcludeTargetNets:[] AlibabaCloudConfigFile:/etc/kubernetes/alibaba-cloud.json AlibabaCloudZoneType: AWSZoneType: AWSZoneTagFilter:[] AWSAssumeRole: AWSAssumeRoleExternalID: AWSBatchChangeSize:1000 AWSBatchChangeInterval:1s AWSEvaluateTargetHealth:true AWSAPIRetries:3 AWSPreferCNAME:false AWSZoneCacheDuration:0s AWSSDServiceCleanup:false AzureConfigFile:/etc/kubernetes/azure.json AzureResourceGroup: AzureSubscriptionID: AzureUserAssignedIdentityClientID: BluecatDNSConfiguration: BluecatConfigFile:/etc/kubernetes/bluecat.json BluecatDNSView: BluecatGatewayHost: BluecatRootZone: BluecatDNSServerName: BluecatDNSDeployType:no-deploy BluecatSkipTLSVerify:false CloudflareProxied:false CloudflareDNSRecordsPerPage:100 CoreDNSPrefix:/skydns/ RcodezeroTXTEncrypt:false AkamaiServiceConsumerDomain: AkamaiClientToken: AkamaiClientSecret: AkamaiAccessToken: AkamaiEdgercPath: AkamaiEdgercSection: InfobloxGridHost: InfobloxWapiPort:443 InfobloxWapiUsername:admin InfobloxWapiPassword: InfobloxWapiVersion:2.3.1 InfobloxSSLVerify:true InfobloxView: InfobloxMaxResults:0 InfobloxFQDNRegEx: InfobloxNameRegEx: InfobloxCreatePTR:false InfobloxCacheDuration:0 DynCustomerName: DynUsername: DynPassword: DynMinTTLSeconds:0 OCIConfigFile:/etc/kubernetes/oci.yaml OCICompartmentOCID: OCIAuthInstancePrincipal:false InMemoryZones:[] OVHEndpoint:ovh-eu OVHApiRateLimit:20 PDNSServer:http://localhost:8081 PDNSAPIKey: PDNSTLSEnabled:false TLSCA: TLSClientCert: TLSClientCertKey: Policy:upsert-only Registry:txt TXTOwnerID:default TXTPrefix: TXTSuffix: TXTEncryptEnabled:false TXTEncryptAESKey: Interval:1m0s MinEventSyncInterval:5s Once:false DryRun:false UpdateEvents:false LogFormat:text MetricsAddress::7979 LogLevel:info TXTCacheInterval:0s TXTWildcardReplacement: ExoscaleEndpoint:https://api.exoscale.ch/dns ExoscaleAPIKey: ExoscaleAPISecret: CRDSourceAPIVersion:externaldns.k8s.io/v1alpha1 CRDSourceKind:DNSEndpoint ServiceTypeFilter:[] CFAPIEndpoint: CFUsername: CFPassword: ResolveServiceLoadBalancerHostname:false RFC2136Host: RFC2136Port:0 RFC2136Zone: RFC2136Insecure:false RFC2136GSSTSIG:false RFC2136KerberosRealm: RFC2136KerberosUsername: RFC2136KerberosPassword: RFC2136TSIGKeyName: RFC2136TSIGSecret: RFC2136TSIGSecretAlg: RFC2136TAXFR:false RFC2136MinTTL:0s RFC2136BatchChangeSize:50 NS1Endpoint: NS1IgnoreSSL:false NS1MinTTLSeconds:0 TransIPAccountName: TransIPPrivateKeyFile: DigitalOceanAPIPageSize:50 ManagedDNSRecordTypes:[A AAAA CNAME] GoDaddyAPIKey: GoDaddySecretKey: GoDaddyTTL:0 GoDaddyOTE:false OCPRouterName: IBMCloudProxied:false IBMCloudConfigFile:/etc/kubernetes/ibmcloud.json TencentCloudConfigFile:/etc/kubernetes/tencent-cloud.json TencentCloudZoneType: PiholeServer: PiholePassword: PiholeTLSInsecureSkipVerify:false PluralCluster: PluralProvider:}"
time="2023-06-15T20:32:07Z" level=info msg="Instantiating new Kubernetes client"
time="2023-06-15T20:32:07Z" level=info msg="Using inCluster-config based on serviceaccount-token"
time="2023-06-15T20:32:07Z" level=info msg="Created Kubernetes client https://10.43.0.1:443"
time="2023-06-15T20:32:08Z" level=fatal msg="records retrieval failed: failed to list hosted zones: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors"
------------------------------------------------------------------------------------------------------------------------
<== Logs of container external-dns-l89vv23uwf-cf96c6db7-8mw87
------------------------------------------------------------------------------------------------------------------------
========================================================================================================================
Deleting release "external-dns-l89vv23uwf"...
>>> helm uninstall external-dns-l89vv23uwf --namespace external-dns-l89vv23uwf
release "external-dns-l89vv23uwf" uninstalled
Deleting namespace "external-dns-l89vv23uwf"...
>>> kubectl --request-timeout=30s delete namespace external-dns-l89vv23uwf --timeout 180s
namespace "external-dns-l89vv23uwf" deleted
>>> kubectl --request-timeout=30s get namespace external-dns-l89vv23uwf
Namespace "external-dns-l89vv23uwf" terminated.
------------------------------------------------------------------------------------------------------------------------
 ✖︎ external-dns => (version: "1.13.0", path: "./charts/external-dns") > failed waiting for process: exit status 1
------------------------------------------------------------------------------------------------------------------------
Error: failed installing charts: failed processing charts
failed installing charts: failed processing charts

If I am not mistaken this is the reason: 07dc39a

v0.13.4 logs an error and continues execution if there are no providers or credentials allowing container to reach the Running state whereas v0.13.5 fails fast and exits. This is where ct becomes unhappy.

@nrvnrvn
Copy link
Contributor Author

nrvnrvn commented Jun 16, 2023

I suggest to change default provider from aws to inmemory.

running ct install --helm-extra-set-args "--set=provider=inmemory" works fine with chart release 1.13.0 and with this pull request.

@stevehipwell
Copy link
Contributor

@nrvnrvn good spot. If you add a ci folder in the chart directory and add a ci-values.yaml file where you set the provider to in memory that should fix it.

@stevehipwell
Copy link
Contributor

/label tide/merge-method-squash

@k8s-ci-robot k8s-ci-robot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jun 16, 2023
@nrvnrvn
Copy link
Contributor Author

nrvnrvn commented Jun 16, 2023

@stevehipwell done

@stevehipwell
Copy link
Contributor

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mloiseleur, nrvnrvn, stevehipwell

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 16, 2023
@johngmyers
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 17, 2023
@k8s-ci-robot k8s-ci-robot merged commit 66a770c into kubernetes-sigs:master Jun 17, 2023
@nrvnrvn nrvnrvn deleted the patch-2 branch June 17, 2023 09:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevehipwell stevehipwell stevehipwell requested changes

@mloiseleur mloiseleur mloiseleur approved these changes

@szuecs szuecs Awaiting requested review from szuecs

Assignees

@johngmyers johngmyers

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make helm chart fully comply with pod security standards
5 participants
@nrvnrvn @k8s-ci-robot @stevehipwell @johngmyers @mloiseleur