Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update external access documentation #568

Open
mpalczynski opened this issue Jul 19, 2021 · 3 comments
Open

Update external access documentation #568

mpalczynski opened this issue Jul 19, 2021 · 3 comments

Comments

@mpalczynski
Copy link

mpalczynski commented Jul 19, 2021
edited
Loading

Description

Could not expose Pravega cluster in kubernetes using NodePort type described in documentation. Before configuring external access, cluster is up and running. After editing cluster manifest segment store - pod could not startup:

apiVersion: "pravega.pravega.io/v1alpha1"
kind: "PravegaCluster"
metadata:
  name: "example"
spec:
  externalAccess:
    enabled: true
    type: NodePort

  bookkeeper:
    serviceAccountName: pravega-components
...
  pravega:
    controllerServiceAccountName: pravega-components
    segmentStoreServiceAccountName: pravega-components
...

Problematic pods

pod/pravega-pravega-pravega-controller-75fd74c5f5-knmgb   0/1     Running            0          68m
pod/pravega-pravega-pravega-segment-store-0               0/1     CrashLoopBackOff   7          13m

Node Port service has been created for segment store. However pravega controller node port is missing:

service/pravega-pravega-pravega-segment-store-0 NodePort 10.101.73.80 <none> 12345:30746/TCP

Logs:

kubectl logs -f pravega-pravega-pravega-segment-store-0
Waiting for pravega-bookkeeper-bookie-headless:3181
Connected to pravega-bookkeeper-bookie-headless:3181
Running in a Kubernetes environment and managed by the Pravega Operator with external access enabled
Failed to get External Service. Exiting...

I think it is something related to service account pravega-components not linked to pods through Pravega Cluster manifest. After executing kubernetes API call:
curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer ..." https://kubernetes.default.svc/api/v1/namespaces/example/services/pravega-pravega-pravega-segment-store-0
I got an error:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "services \"pravega-pravega-pravega-segment-store-0\" is forbidden: User \"system:serviceaccount:example:default\" cannot get resource \"services\" in API group \"\" in the namespace \"example\"",
  "reason": "Forbidden",
  "details": {
    "name": "pravega-pravega-pravega-segment-store-0",
    "kind": "services"
  },
  "code": 403
}

It seems controllerServiceAccountName, segmentStoreServiceAccountName are not taken into account since those pods have default service account assigned.

Pravega operator version: 0.5.3
Pravega version: 0.9.0

Importance

should-have

Location

documentation

Suggestions for an improvement

Update aforementioned documentation adding description of NodePort type of external access.
@anishakj
Copy link
Contributor

@mpalczynski Could you please point us to the documentation you are referring?

@mpalczynski
Copy link
Author

@anishakj https://github.com/pravega/pravega-operator/blob/master/doc/external-access.md

@anishakj
Copy link
Contributor

anishakj commented Jul 27, 2021
edited
Loading

@mpalczynski , We have realized that we are not supporting node port, and there is a mismatch between documentation of external access. Would you like to contribute in providing the support for node port

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mpalczynski @anishakj