-
Notifications
You must be signed in to change notification settings - Fork 707
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
POST requests to /apis/kubeappsapis.core.packages.v1alpha1.PackagesService/CreateInstalledPackage and /apis/kubeappsapis.core.packages.v1alpha1.PackagesService/DeleteInstalledPackage fail with a 502 #5671
Comments
Thanks again @RGPosadas for the detailed report. I'd not realised when we chatted on slack that this was specific to a large chart. Interesting. I've actually just landed a few PRs that aim to improve the performance of A few notes:
Just making sure: I assume you're using pinniped because you can't configure the cluster directly with your OIDC setup, because if you can, you don't need pinniped (unless I'm missing something).
Yep, fixed in main, but not yet released.
Right, quite a jump (8 chart versions) - not yet sure what the change may have been. I'll let you know if I reproduce it. Thanks! |
Hi @RGPosadas, this is Pepe Baena, engineering manager at Kubeapps. As a Kubeapps adopter, I’d like to feature your organization in the ADOPTERS.md file. Would you like to be included? We only need a PR with your logo and 1-2 sentences describing how your organization uses Kubeapps (we can also help you with this PR). I really appreciate it for promoting Kubeapps use cases like yours throughout our amazing open-source community. |
@absoludity Yes I realized this after posting the Slack message on my 2nd retry of the new chart version. Hopefully that helps narrow things down!
Awesome, looking forward to this 😄
Pinniped isn't meant for us, but rather our customers. They should not have direct access to the k8s cluster but should still be able to CRUD releases, which is why we need pinniped.
@ppbaena We already are! I am part of SAP's Team Teapots 😄 |
Thanks for the heads up @RGPosadas! |
OK, this is the bit I'm confused about. Unless I'm missing something, you don't need pinniped to ensure customers can use Kubeapps without having direct access to the k8s cluster - iff you control your cluster yourself (as opposed to a managed cluster by some other service). You could (if you wanted to) instead configure your cluster with the OIDC params so that your cluster trusts your dex IdP. Your users login as normal (assuming they can access both dex and the kubeapps frontend), and kubeapps is able to pass the user's If you need an example, this is the config we use in our local dev environment to configure those oidc options. Hope that makes sense. |
@absoludity Ahh gotcha. Will take a look! |
Great. The Kubeapps docs should present both options, with the straight OIDC (without Pinniped) as the first. But reading that page, it does make it sound like you should be using Pinniped either way (which is not true). I'll get that updated. |
Signed-off-by: Michael Nelson <minelson@vmware.com> <!-- Before you open the request please review the following guidelines and tips to help it be more easily integrated: - Describe the scope of your change - i.e. what the change does. - Describe any known limitations with your change. - Please run any tests or examples that can exercise your modified code. Thank you for contributing! --> ### Description of the change <!-- Describe the scope of your change - i.e. what the change does. --> While chatting about [OIDC configuration](#5671 (comment)) with @RGPosadas I was looking through the docs and found that it reads currently as if you should use Pinniped either way. This change just clears that up a bit, I hope, so that people use the cluster's own OIDC support when they can, and pinniped when they can't. ### Benefits <!-- What benefits will be realized by the code change? --> ### Possible drawbacks <!-- Describe any known limitations with your change --> ### Applicable issues <!-- Enter any applicable Issues here (You can reference an issue using #) --> - ref #5671 ### Additional information <!-- If there's anything else that's important and relevant to your pull request, mention that information here.--> Signed-off-by: Michael Nelson <minelson@vmware.com>
Hi there @RGPosadas . Wondering if you had a chance to verify as above whether you really need to be using Pinniped, given that you control your cluster yourself? If not, the latest release has the timing improvements for our pinniped-proxy service (but still better not to use it if you don't need to - as it's extra complexity to work around the situation where people don't control their cluster themselves). I'll close this for now, but feel free to re-open or comment with any more info - I didn't yet test with a chart with +30 resources. Thanks! |
1. Describe the bug
POST requests to create/delete a helm release sometimes fail with a 502 due to a timeout being reached (30s). This timeout is always reached when deploying our large charts (~30+ k8s resources). Our small charts (~3 resources) do not encounter this timeout. However, the resources eventually get created/deleted, and the release is seen on/removed from the
Applications
tab after a browser refresh. Tested on both Chrome and Firefox.This issue only appeared when transitioning from kubeapps helm chart version
10.2.2
to12.1.0
.2. To Reproduce
2.a Helm Chart Setup
kubeapps
helm chart version12.1.0
, for dependencies:common
chart version2.1.2
postgresql
chart version12.1.0
redis
is fully disabled as we do not useflux
packagesfrontend.proxypassAccessTokenAsBearer: true
enabledkubeappsapis.pluginConfig.core.packages.v1alpha1.timeoutSeconds: 300
as default and is untoucheddex
as our OIDC provider. Relevant config:pinnipedProxy.enabled: true
. Relevant config:pinniped-concierge
is running on version0.20.0
2.b Kubeapps Dashboard - Actions Taken
2.c Relevant Logs
Logs below are for a POST /CreateInstalledPackage
3. Expected behavior
Kubeapps works as expected and does not encounter any timeouts, as per our previous working version (helm chart version 10.2.2).
4. Screenshots
N/A
5. Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: