在 OpenShift 上安装 Tekton Triggers EventListener (for GitLab) 会导致:错误配置映射被禁止:无法在 API 中获取资源配置映射
Posted
技术标签:
【中文标题】在 OpenShift 上安装 Tekton Triggers EventListener (for GitLab) 会导致:错误配置映射被禁止:无法在 API 中获取资源配置映射【英文标题】:Installing Tekton Triggers EventListener (for GitLab) on OpenShift leads to: error configmaps is forbidden: cannot get resource configmaps in API 【发布时间】:2022-01-07 05:48:13 【问题描述】:我们正致力于通过 Webhooks 和 Tekton Triggers 集成 GitLab 和 Tekton / OpenShift Pipelines。我们关注this example project 并制作了我们的EventListener,它附带了所需的Interceptor、TriggerBinding 和TriggerTemplate 作为gitlab-push-listener.yml:
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: gitlab-listener
spec:
serviceAccountName: tekton-triggers-example-sa
triggers:
- name: gitlab-push-events-trigger
interceptors:
- name: "verify-gitlab-payload"
ref:
name: "gitlab"
kind: ClusterInterceptor
params:
- name: secretRef
value:
secretName: "gitlab-secret"
secretKey: "secretToken"
- name: eventTypes
value:
- "Push Hook"
bindings:
- name: gitrevision
value: $(body.checkout_sha)
- name: gitrepositoryurl
value: $(body.repository.git_http_url)
template:
spec:
params:
- name: gitrevision
- name: gitrepositoryurl
- name: message
description: The message to print
default: This is the default message
- name: contenttype
description: The Content-Type of the event
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: buildpacks-test-pipeline-run-
#name: buildpacks-test-pipeline-run
spec:
serviceAccountName: buildpacks-service-account-gitlab # Only needed if you set up authorization
pipelineRef:
name: buildpacks-test-pipeline
workspaces:
- name: source-workspace
subPath: source
persistentVolumeClaim:
claimName: buildpacks-source-pvc
- name: cache-workspace
subPath: cache
persistentVolumeClaim:
claimName: buildpacks-source-pvc
params:
- name: IMAGE
value: registry.gitlab.com/jonashackt/microservice-api-spring-boot # This defines the name of output image
- name: SOURCE_URL
value: https://gitlab.com/jonashackt/microservice-api-spring-boot
- name: SOURCE_REVISION
value: main
作为stated in the example(和in the Tekton docs),我们还创建并kubectl applyed 一个名为ServiceAccount 的tekton-triggers-example-sa、RoleBinding 和ClusterRoleBinding:
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-triggers-example-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: triggers-example-eventlistener-binding
subjects:
- kind: ServiceAccount
name: tekton-triggers-example-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-eventlistener-roles
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: triggers-example-eventlistener-clusterbinding
subjects:
- kind: ServiceAccount
name: tekton-triggers-example-sa
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-eventlistener-clusterroles
现在通过 kubectl apply -f gitlab-push-listener.yml 安装我们的 EventListener,没有来自 GitLab 的触发,甚至是 curl 正在按预期触发 PipelineRun。查看el-gitlab-listener Deployment 和 Pod 的日志,我们看到以下错误:
kubectl logs el-gitlab-listener-69f4c5c8f8-t4zdj
"level":"info","ts":"2021-11-30T09:38:32.444Z","caller":"logging/config.go:116","msg":"Successfully created the logger."
"level":"info","ts":"2021-11-30T09:38:32.444Z","caller":"logging/config.go:117","msg":"Logging level set to: info"
"level":"info","ts":"2021-11-30T09:38:32.444Z","caller":"logging/config.go:79","msg":"Fetch GitHub commit ID from kodata failed","error":"\"KO_DATA_PATH\" does not exist or is empty"
"level":"info","ts":"2021-11-30T09:38:32.444Z","logger":"eventlistener","caller":"logging/logging.go:46","msg":"Starting the Configuration eventlistener","knative.dev/controller":"eventlistener"
"level":"info","ts":"2021-11-30T09:38:32.445Z","logger":"eventlistener","caller":"profiling/server.go:64","msg":"Profiling enabled: false","knative.dev/controller":"eventlistener"
"level":"fatal","ts":"2021-11-30T09:38:32.451Z","logger":"eventlistener","caller":"eventlistenersink/main.go:104","msg":"Error reading ConfigMap config-observability-triggers","knative.dev/controller":"eventlistener","error":"configmaps \"config-observability-triggers\" is forbidden: User \"system:serviceaccount:default:tekton-triggers-example-sa\" cannot get resource \"configmaps\" in API group \"\" in the namespace \"default\": RBAC: [clusterrole.rbac.authorization.k8s.io \"tekton-triggers-eventlistener-clusterroles\" not found, clusterrole.rbac.authorization.k8s.io \"tekton-triggers-eventlistener-roles\" not found]","stacktrace":"main.main\n\t/opt/app-root/src/go/src/github.com/tektoncd/triggers/cmd/eventlistenersink/main.go:104\nruntime.main\n\t/usr/lib/golang/src/runtime/proc.go:203"
【问题讨论】:
【参考方案1】:OpenShift Pipelines 文档没有直接记录它。但是,如果您浏览the docs especially in the Triggers section,您可能会发现没有创建任何ServiceAccount。但是每个 Trigger 组件都使用一个。它被称为pipeline。只需运行kubectl get serviceaccount 即可查看:
$ kubectl get serviceaccount
NAME SECRETS AGE
default 2 49d
deployer 2 49d
pipeline 2 48d
这个pipeline ServiceAccount 已准备好在您的 Tekton 触发器和事件监听器中使用。所以你的gitlab-push-listener.yml可以直接引用:
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: gitlab-listener
spec:
serviceAccountName: pipeline
triggers:
- name: gitlab-push-events-trigger
interceptors:
...
您可以简单地删除您手动创建的 ServiceAccount tekton-triggers-example-sa。 OpenShift Pipelines 中不需要它!现在您的 Tekton Triggers EventListener 应该可以正常工作并按照定义触发您的 Tekton Pipelines。
【讨论】:
以上是关于在 OpenShift 上安装 Tekton Triggers EventListener (for GitLab) 会导致:错误配置映射被禁止:无法在 API 中获取资源配置映射的主要内容,如果未能解决你的问题,请参考以下文章
在没有弹性搜索的情况下在 openshift 上安装 fluentd?
在 OpenShift / PHP / CodeIgniter 上发送邮件