Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to deploy app to OCP with Knative #646

Open
tam512 opened this issue Oct 29, 2024 · 4 comments
Open

Unable to deploy app to OCP with Knative #646

tam512 opened this issue Oct 29, 2024 · 4 comments

Comments

@tam512
Copy link

tam512 commented Oct 29, 2024

On Power 9 OCP, installed Open Liberty Operator 1.4.0, install RH Serverless operator and Knative serving using script https://github.ibm.com/websphere/operators/tree/main/scripts/configure-cluster/setup-ocp-cluster.sh -S -K --arch P

  • In the namespace to deploy app, create secret to pull app image from artifactory
oc get secret hyc-secret
NAME         TYPE                             DATA   AGE
hyc-secret   kubernetes.io/dockerconfigjson   1      5h37m
  • Here is my OpenLibetyApplication yaml
apiVersion: apps.openliberty.io/v1
kind: OpenLibertyApplication
metadata:
  name: dt10-olk-java21-kn
  labels:
    app: daytrader10
spec:
  serviceAccount:
    mountToken: true
    name: instanton-sa
  applicationImage: 'my-app-image'
  createKnativeService: true
  expose: true 
  autoscaling:
    maxReplicas: 5
    minReplicas: 1
    targetCPUUtilizationPercentage: 80
  pullPolicy: Always
  pullSecret: hyc-secret
  statefulSet: {}
  service:
    type: ClusterIP
    port: 9080
  route:
    termination: passthrough
  resources:
    limits:
      cpu: 1024m
      memory: 1024Mi
    requests:
      cpu: 512m
      memory: 512Mi
  probes:
    liveness:
      httpGet:
        path: /health
        port: 9080
      failureThreshold: 5
      periodSeconds: 10
    readiness:
      httpGet:
        path: /daytrader
        port: 9080
      failureThreshold: 5
      periodSeconds: 10
  env:
    - name: WLP_LOGGING_CONSOLE_FORMAT
      value: 'simple'
    - name: dbHost
      value: 'app-db2' # DB2 container service.namespace
    - name: dbName
      value: TRADEDB
    - name: dbPort
      value: "50000"
    - name: dbUser
      value: db2inst1
    - name: dbPasswd
      valueFrom:
        secretKeyRef:
          name: db-credential
          key: dbpw
    - name: QueueManager
      value: QM1
    - name: mqHost
      value: app-mq  #use MQ container service.namespace
    - name: mqPasswd
      valueFrom:
        secretKeyRef:
          key: mqpw
          name: mqapp-credential
    - name: httpPort
      value: "9080"
    - name: httpsPort
      value: "9443"
  securityContext:
    allowPrivilegeEscalation: true
    privileged: false
    runAsNonRoot: true
    capabilities:
      add:
      - CHECKPOINT_RESTORE
      - SETPCAP
      drop:
      -  ALL

My app image failed to deployed. I see Authentication is required when describe revision

Events:
  Type     Reason         Age               From                 Message
  ----     ------         ----              ----                 -------
  Warning  InternalError  6s (x4 over 13s)  revision-controller  Unable to fetch image "docker-na-public.artifactory.swg-devops.com/hyc-wassvt-team-image-registry-docker-local/instanton/24.0.0.11/daytrader10-mq:ol-kernel-java21-ppc64le": failed to resolve image to digest: GET https://docker-na-public.artifactory.swg-devops.com/artifactory/api/docker/null/v2/token?scope=repository%3Ahyc-wassvt-team-image-registry-docker-local%2Finstanton%2F24.0.0.11%2Fdaytrader10-mq%3Apull&service=docker-na-public.artifactory.swg-devops.com: : Authentication is required

Check revision and kservice resource and I do not pullSecret in them

@tam512
Copy link
Author

tam512 commented Oct 30, 2024

This is a regression since this worked in Liberty 24.0.0.9

@tam512 tam512 changed the title Unable to deploy app to Power OCP with Knative Unable to deploy app to OCP with Knative Nov 5, 2024
@tam512
Copy link
Author

tam512 commented Nov 5, 2024

This problem is also seen on x86 OCP

@leochr
Copy link
Member

leochr commented Nov 6, 2024

At a glance in the Operator code, I don't see the pull secret from CR being set on Knative workloads (now or before). So I don't believe this is a regression. A global pull secret was likely in place in the clusters where the image pull failure didn't occur in the past. We'll look into setting the pull secret on Knative workloads.

@tam512
Copy link
Author

tam512 commented Nov 6, 2024

Our experience in the past was that we always need to have a pull secret in the namespace of the app even when we have a global pull secret. Knative does not work with global pull secret.

We also have global pull secret in OCP when we saw this problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants