From fab69ea9ec1adec9714be08c279892a0682bc7e6 Mon Sep 17 00:00:00 2001 From: Andrew Farries Date: Tue, 6 Sep 2022 10:55:59 +0000 Subject: [PATCH 1/2] Fix typo in kots preflight checks --- install/kots/manifests/kots-preflight.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/kots/manifests/kots-preflight.yaml b/install/kots/manifests/kots-preflight.yaml index 95eaf953f7c2ff..dc350d44af5771 100644 --- a/install/kots/manifests/kots-preflight.yaml +++ b/install/kots/manifests/kots-preflight.yaml @@ -128,7 +128,7 @@ spec: when: == openshift message: OpenShift is not supported - pass: - message: The cluster is using a support distribution + message: The cluster is using a supported distribution - nodeResources: checkName: At least one node must "gitpod.io/workload_meta" label filters: From 2469477145c64e414701f0dc7130080be80b2639 Mon Sep 17 00:00:00 2001 From: Andrew Farries Date: Tue, 6 Sep 2022 12:01:42 +0000 Subject: [PATCH 2/2] Add new section to GCP troubleshooting doc Explain the permissions required to install helm charts to the new cluster. --- install/infra/single-cluster/gcp/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/install/infra/single-cluster/gcp/README.md b/install/infra/single-cluster/gcp/README.md index 751e97d26f90bf..51e789afa168d9 100644 --- a/install/infra/single-cluster/gcp/README.md +++ b/install/infra/single-cluster/gcp/README.md @@ -223,6 +223,20 @@ gcloud auth activate-service-account --key-file=/path/to/account/key.json gcloud container clusters get-credentials --region --zone --project ``` +### Failed to install helm charts to the cluster + +If you see errors like: + +``` +Error: clusterroles.rbac.authorization.k8s.io is forbidden: User "xxxxx@developer.gserviceaccount.com" cannot create resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope: requires one of ["container.clusterRoles.create"] permission(s). +│ +│ with module.certmanager.helm_release.cert, +│ on ../../modules/tools/cert-manager/main.tf line 17, in resource "helm_release" "cert": +│ 17: resource "helm_release" "cert" { +│ +``` +After running `make apply`, ensure that the service account you are using has the `Kubernetes Engine Admin` role. See the [GCP IAM documentation](https://cloud.google.com/iam/docs/granting-changing-revoking-access) to learn how to associate roles with a service account. + ## Cleanup Make sure you first delete the `gitpod` resources in the cluster so things like load balancer created by the k8s `service` gets deleted. Otherwise terraform will not be able to delete the VPC.