在 OpenShift 上安装 Tekton Triggers EventListener (for GitLab) 会导致:错误配置映射被禁止:无法在 API 中获取资源配置映射

Posted

技术标签:

【中文标题】在 OpenShift 上安装 Tekton Triggers EventListener (for GitLab) 会导致:错误配置映射被禁止:无法在 API 中获取资源配置映射【英文标题】:Installing Tekton Triggers EventListener (for GitLab) on OpenShift leads to: error configmaps is forbidden: cannot get resource configmaps in API 【发布时间】:2022-01-07 05:48:13 【问题描述】:

我们正致力于通过 Webhooks 和 Tekton Triggers 集成 GitLab 和 Tekton / OpenShift Pipelines。我们关注this example project 并制作了我们的EventListener,它附带了所需的InterceptorTriggerBindingTriggerTemplate 作为gitlab-push-listener.yml

apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: gitlab-listener
spec:
  serviceAccountName: tekton-triggers-example-sa
  triggers:
    - name: gitlab-push-events-trigger
      interceptors:
        - name: "verify-gitlab-payload"
          ref:
            name: "gitlab"
            kind: ClusterInterceptor
          params:
            - name: secretRef
              value:
                secretName: "gitlab-secret"
                secretKey: "secretToken"
            - name: eventTypes
              value:
                - "Push Hook"
      bindings:
        - name: gitrevision
          value: $(body.checkout_sha)
        - name: gitrepositoryurl
          value: $(body.repository.git_http_url)
      template:
        spec:
          params:
            - name: gitrevision
            - name: gitrepositoryurl
            - name: message
              description: The message to print
              default: This is the default message
            - name: contenttype
              description: The Content-Type of the event
          resourcetemplates:
            - apiVersion: tekton.dev/v1beta1
              kind: PipelineRun
              metadata:
                generateName: buildpacks-test-pipeline-run-
                #name: buildpacks-test-pipeline-run
              spec:
                serviceAccountName: buildpacks-service-account-gitlab # Only needed if you set up authorization
                pipelineRef:
                  name: buildpacks-test-pipeline
                workspaces:
                  - name: source-workspace
                    subPath: source
                    persistentVolumeClaim:
                      claimName: buildpacks-source-pvc
                  - name: cache-workspace
                    subPath: cache
                    persistentVolumeClaim:
                      claimName: buildpacks-source-pvc
                params:
                  - name: IMAGE
                    value: registry.gitlab.com/jonashackt/microservice-api-spring-boot # This defines the name of output image
                  - name: SOURCE_URL
                    value: https://gitlab.com/jonashackt/microservice-api-spring-boot
                  - name: SOURCE_REVISION
                    value: main

作为stated in the example(和in the Tekton docs),我们还创建并kubectl applyed 一个名为ServiceAccounttekton-triggers-example-saRoleBindingClusterRoleBinding

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton-triggers-example-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: triggers-example-eventlistener-binding
subjects:
  - kind: ServiceAccount
    name: tekton-triggers-example-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tekton-triggers-eventlistener-roles
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: triggers-example-eventlistener-clusterbinding
subjects:
  - kind: ServiceAccount
    name: tekton-triggers-example-sa
    namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tekton-triggers-eventlistener-clusterroles

现在通过 kubectl apply -f gitlab-push-listener.yml 安装我们的 EventListener,没有来自 GitLab 的触发,甚至是 curl 正在按预期触发 PipelineRun。查看el-gitlab-listener Deployment 和 Pod 的日志,我们看到以下错误:

kubectl logs el-gitlab-listener-69f4c5c8f8-t4zdj
"level":"info","ts":"2021-11-30T09:38:32.444Z","caller":"logging/config.go:116","msg":"Successfully created the logger."
"level":"info","ts":"2021-11-30T09:38:32.444Z","caller":"logging/config.go:117","msg":"Logging level set to: info"
"level":"info","ts":"2021-11-30T09:38:32.444Z","caller":"logging/config.go:79","msg":"Fetch GitHub commit ID from kodata failed","error":"\"KO_DATA_PATH\" does not exist or is empty"
"level":"info","ts":"2021-11-30T09:38:32.444Z","logger":"eventlistener","caller":"logging/logging.go:46","msg":"Starting the Configuration eventlistener","knative.dev/controller":"eventlistener"
"level":"info","ts":"2021-11-30T09:38:32.445Z","logger":"eventlistener","caller":"profiling/server.go:64","msg":"Profiling enabled: false","knative.dev/controller":"eventlistener"
"level":"fatal","ts":"2021-11-30T09:38:32.451Z","logger":"eventlistener","caller":"eventlistenersink/main.go:104","msg":"Error reading ConfigMap config-observability-triggers","knative.dev/controller":"eventlistener","error":"configmaps \"config-observability-triggers\" is forbidden: User \"system:serviceaccount:default:tekton-triggers-example-sa\" cannot get resource \"configmaps\" in API group \"\" in the namespace \"default\": RBAC: [clusterrole.rbac.authorization.k8s.io \"tekton-triggers-eventlistener-clusterroles\" not found, clusterrole.rbac.authorization.k8s.io \"tekton-triggers-eventlistener-roles\" not found]","stacktrace":"main.main\n\t/opt/app-root/src/go/src/github.com/tektoncd/triggers/cmd/eventlistenersink/main.go:104\nruntime.main\n\t/usr/lib/golang/src/runtime/proc.go:203"

【问题讨论】:

【参考方案1】:

OpenShift Pipelines 文档没有直接记录它。但是,如果您浏览the docs especially in the Triggers section,您可能会发现没有创建任何ServiceAccount。但是每个 Trigger 组件都使用一个。它被称为pipeline。只需运行kubectl get serviceaccount 即可查看:

$ kubectl get serviceaccount
NAME                         SECRETS   AGE
default                      2         49d
deployer                     2         49d
pipeline                     2         48d

这个pipeline ServiceAccount 已准备好在您的 Tekton 触发器和事件监听器中使用。所以你的gitlab-push-listener.yml可以直接引用:

apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: gitlab-listener
spec:
  serviceAccountName: pipeline
  triggers:
    - name: gitlab-push-events-trigger
      interceptors:
      ...

您可以简单地删除您手动创建的 ServiceAccount tekton-triggers-example-saOpenShift Pipelines 中不需要它!现在您的 Tekton Triggers EventListener 应该可以正常工作并按照定义触发您的 Tekton Pipelines。

【讨论】:

以上是关于在 OpenShift 上安装 Tekton Triggers EventListener (for GitLab) 会导致:错误配置映射被禁止:无法在 API 中获取资源配置映射的主要内容,如果未能解决你的问题,请参考以下文章

在没有弹性搜索的情况下在 openshift 上安装 fluentd?

Openshift3.11集群安装

OpenShift 数据库主机价值?

在 OpenShift / PHP / CodeIgniter 上发送邮件

云原生在京东丨基于 Tekton 打造下一代云原生 CI 平台

如何在 OpenShift 上部署多模块 maven spring boot 应用程序