Agola in k3s, start run service executor failed

ty4z2008 · December 30, 2019, 3:00am

I have same problem. i used latest version of k3s k3s version v1.0.0 (18bd921c)

docker image:sorintlab/agola:latest

But the logs tell me is executor error. it’s haven’t permission .

2019-12-30T02:50:43.484Z FATAL cmd/serve.go:60 err: failed to start run service executor: failed to create kubernetes driver: configmaps “agola-executors-group” is forbidden: User “system:serviceaccount:agola:default” cannot get resource “configmaps” in API group “” in the namespace “agola”

anyone help me ?

YAML file :


kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: agola-vol
  namespace: agola
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: local-path

---

# The client service. It's a node port for easier testing on minikube. Change
# it to become a LoadBalancer if needed.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: agola
  namespace: agola
  annotations:
    kubernetes.io/ingress.class: 'traefik'
    ingress.kubernetes.io/ssl-redirect: "false" 
spec:
  rules:
  - host: agola.influx.io
    http:
      paths:
      - path: /
        backend:
          serviceName: agola
          servicePort: 30002
---

# The service for internal components communication.
# We are using an headless service since some k8s deployment doesn't have
# hairpin mode enabled and pods cannot communicate with themself via a
# service
apiVersion: v1
kind: Service
metadata:
  name: agola-internal
  namespace: agola
spec:
  ports:
    - port: 8000
      name: api
    - port: 4000
      name: runservice
    - port: 4002
      name: configstore
    - port: 4003
      name: gitserver
  selector:
    app: agola
  clusterIP: None

---

# The agola config

apiVersion: v1
kind: ConfigMap
metadata:
  name: agola
  namespace: agola
data:
  config.yml: |
    gateway:
      # The api url that clients will call
      # Change this to the exposed "agola" service IP
      apiExposedURL: "http://192.168.10.110:30002"
      # The web interface url that clients will use
      # Change this to the exposed "agola" service IP
      webExposedURL: "http://192.168.10.110:30002"
      runserviceURL: "http://agola-internal:4000"
      configstoreURL: "http://agola-internal:4002"
      gitserverURL: "http://agola-internal:4003"

      web:
        listenAddress: ":8000"
      tokenSigning:
        # hmac or rsa (it possible use rsa)
        method: hmac
        # key to use when signing with hmac
        key: supersecretsigningkey
        # paths to the private and public keys in pem encoding when using rsa signing
        #privateKeyPath: /path/to/privatekey.pem
        #publicKeyPath: /path/to/public.pem
      adminToken: "admintoken"

    scheduler:
      runserviceURL: "http://agola-internal:4000"

    notification:
      webExposedURL: "http://192.168.10.110:30002"
      runserviceURL: "http://agola-internal:4000"
      configstoreURL: "http://agola-internal:4002"
      etcd:
        endpoints: "http://localhost:2379"

    configstore:
      dataDir: /mnt/agola/local/configstore
      etcd:
        endpoints: "http://localhost:2379"
      objectStorage:
        type: posix
        path: /mnt/agola/objectstorage/configstore/ost
      web:
        listenAddress: ":4002"

    runservice:
      #debug: true
      dataDir: /mnt/agola/local/runservice
      etcd:
        endpoints: "http://localhost:2379"
      objectStorage:
        type: posix
        path: /mnt/agola/objectstorage/runservice/ost
      web:
        listenAddress: ":4000"

    executor:
      dataDir: /mnt/agola/local/executor
      # The directory containing the toolbox compiled for the various supported architectures
      toolboxPath: ./bin
      runserviceURL: "http://agola-internal:4000"
      web:
        listenAddress: ":4001"
      activeTasksLimit: 2
      driver:
        type: kubernetes

    gitserver:
      dataDir: /mnt/agola/local/gitserver
      gatewayURL: "http://agola-internal:8000"
      web:
        listenAddress: ":4003"
---


apiVersion: apps/v1
kind: Deployment
metadata:
  name: agola
  namespace: agola
spec:
  # Do not increase replica count or everything will break since every pod will
  # have its own etcd instance
  replicas: 1
  selector:
    matchLabels:
      app: agola
  template:
    metadata:
      labels:
        app: agola
    spec:
      containers:
      - name: agola
        image: sorintlab/agola
        command:
          - /bin/agola
          - serve
          - --embedded-etcd
          - "--config"
          - /mnt/agola/config/config.yml
          - "--components"
          - all-base,executor
        env:
        ports:
          - containerPort: 8000
          - containerPort: 4000
          - containerPort: 4002
          - containerPort: 4003
        volumeMounts:
          - name: config-volume
            mountPath: /mnt/agola/config
          - name: agola-localdata
            mountPath: /mnt/agola/local
          - name: agola-objectstorage
            mountPath: /mnt/agola/objectstorage
      volumes:
          - name: config-volume
            configMap:
              name: agola
          - name: agola-localdata
            emptyDir: {}
          - name: agola-objectstorage
            persistentVolumeClaim:
              claimName: agola-vol

ty4z2008 · December 30, 2019, 3:02am

@sgotti could you help me ?

sgotti · December 30, 2019, 2:12pm

@ty4z2008 you should investigate why the pod service account isn’t able to create a configmap. This looks really strange. There’s probably something different in your k3s setup than in standard k8s.

ty4z2008 · January 3, 2020, 2:22am

thanks buddy.
But isn’t still working.
What something debug config to help me debug in Agola?

sgotti · January 3, 2020, 8:36am

@ty4z2008 There’s nothing to debug inside agola. Have you created the required rbac roles and rolebindings like in the documented example?

github.com

agola-io/agola/blob/master/examples/kubernetes/common/rbac.yml

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: agola
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - "*"

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: agola
  namespace: default
rules:

This file has been truncated. show original

cirelli94 · February 1, 2021, 10:15am

I got the same errors while installing agola in its agola namespace.

I solved with this rbac.yml:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: agola
  namespace: agola
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - "*"

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: agola
  namespace: agola
rules:
- apiGroups:
  - ""
  - "coordination.k8s.io"
  resources:
  - nodes
  - pods
  - pods/exec
  - configmaps
  - leases
  - secrets
  verbs:
  - "*"

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: agola
  namespace: agola
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: agola
subjects:
- kind: ServiceAccount
  name: default
  namespace: agola

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: agola
  namespace: agola
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: agola
subjects:
- kind: ServiceAccount
  name: default
  namespace: agola