Issues when going through the Kritis Installation

[Jason Fisher]

Hello:

I am trying to follow the instructions to install and enable Kritis in my project. Everything is going smoothly until I get to the point of actually installing Kritis to my cluster from the Helm charts. The command I issue (from the instructions) is:

helm install https://storage.googleapis.com/kritis-charts/repository/kritis-charts-0.1.0.tgz

I am supposed to see the kritis-preinstall and kritis-postinstall pods in the Completed state and the kritis-validation-hook-xxx pod in the Running state. I am seeing the preinstall and postinstall pods in the Error state. When I do a `kubectl logs kritis-preinstall` I get the following:

time="2019-03-13T20:31:11Z" level=info msg="contents of /var/run/secrets/kubernetes.io/serviceaccount/namespace: default"
time="2019-03-13T20:31:11Z" level=info msg="running preinstall\nversion v0.1.0\ncommit: c0715fe5eadf3b507318edda2a45859343bb03f2"
Error from server (NotFound): certificatesigningrequests.certificates.k8s.io "tls-webhook-secret-cert" not found
Error from server (NotFound): secrets "tls-webhook-secret" not found
time="2019-03-13T20:31:11Z" level=info msg="[cfssl genkey -]"
time="2019-03-13T20:31:11Z" level=info msg="{\"csr\":\"-----BEGIN CERTIFICATE REQUEST-----\\nMIICFjCCAbwCAQAwADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJD9umrnm/GS\\n6p8YlrtXTu+ClwCNOEGsC9UN/L4CEahU9lN7s7XVhnX5Lye4cl+4NoeGCc3SDgdg\\n9R3CbDzdq9GgggFYMIIBVAYJKoZIhvcNAQkOMYIBRTCCAUEwggE9BgNVHREEggE0\\nMIIBMIIWa3JpdGlzLXZhbGlkYXRpb24taG9va4Iia3JpdGlzLXZhbGlkYXRpb24t\\naG9vay5rdWJlLXN5c3RlbYIea3JpdGlzLXZhbGlkYXRpb24taG9vay5kZWZhdWx0\\ngiJrcml0aXMtdmFsaWRhdGlvbi1ob29rLmRlZmF1bHQuc3ZjgiJrcml0aXMtdmFs\\naWRhdGlvbi1ob29rLWRlcGxveW1lbnRzgi5rcml0aXMtdmFsaWRhdGlvbi1ob29r\\nLWRlcGxveW1lbnRzLmt1YmUtc3lzdGVtgiprcml0aXMtdmFsaWRhdGlvbi1ob29r\\nLWRlcGxveW1lbnRzLmRlZmF1bHSCLmtyaXRpcy12YWxpZGF0aW9uLWhvb2stZGVw\\nbG95bWVudHMuZGVmYXVsdC5zdmMwCgYIKoZIzj0EAwIDSAAwRQIhALPZzn1lY0DS\\nJIeLn7HVtGq825YQFFnjN6GZg4NFbUElAiBtxjfTp855OaERk8MdvVINVDFc3SnV\\neDTPbRCN5fe72w==\\n-----END CERTIFICATE REQUEST-----\\n\",\"key\":\"-----BEGIN EC PRIVATE KEY-----\\nMHcCAQEEIGwMXr+GYML2RhdgDi/ub3bjn7Bm3RN5lL6qZQ1eosNvoAoGCCqGSM49\\nAwEHoUQDQgAEkP26aueb8ZLqnxiWu1dO74KXAI04QawL1Q38vgIRqFT2U3uztdWG\\ndfkvJ7hyX7g2h4YJzdIOB2D1HcJsPN2r0Q==\\n-----END EC PRIVATE KEY-----\\n\"}\n"
time="2019-03-13T20:31:11Z" level=info msg="[cfssljson -bare server]"
time="2019-03-13T20:31:11Z" level=info
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
    name: tls-webhook-secret-cert
spec:
    groups:
    - system:authenticated
    request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ0ZqQ0NBYndDQVFBd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRDl1bXJubS9HUwo2cDhZbHJ0WFR1K0Nsd0NOT0VHc0M5VU4vTDRDRWFoVTlsTjdzN1hWaG5YNUx5ZTRjbCs0Tm9lR0NjM1NEZ2RnCjlSM0NiRHpkcTlHZ2dnRllNSUlCVkFZSktvWklodmNOQVFrT01ZSUJSVENDQVVFd2dnRTlCZ05WSFJFRWdnRTAKTUlJQk1JSVdhM0pwZEdsekxYWmhiR2xrWVhScGIyNHRhRzl2YTRJaWEzSnBkR2x6TFhaaGJHbGtZWFJwYjI0dAphRzl2YXk1cmRXSmxMWE41YzNSbGJZSWVhM0pwZEdsekxYWmhiR2xrWVhScGIyNHRhRzl2YXk1a1pXWmhkV3gwCmdpSnJjbWwwYVhNdGRtRnNhV1JoZEdsdmJpMW9iMjlyTG1SbFptRjFiSFF1YzNaamdpSnJjbWwwYVhNdGRtRnMKYVdSaGRHbHZiaTFvYjI5ckxXUmxjR3h2ZVcxbGJuUnpnaTVyY21sMGFYTXRkbUZzYVdSaGRHbHZiaTFvYjI5cgpMV1JsY0d4dmVXMWxiblJ6TG10MVltVXRjM2x6ZEdWdGdpcHJjbWwwYVhNdGRtRnNhV1JoZEdsdmJpMW9iMjlyCkxXUmxjR3h2ZVcxbGJuUnpMbVJsWm1GMWJIU0NMbXR5YVhScGN5MTJZV3hwWkdGMGFXOXVMV2h2YjJzdFpHVncKYkc5NWJXVnVkSE11WkdWbVlYVnNkQzV6ZG1Nd0NnWUlLb1pJemowRUF3SURTQUF3UlFJaEFMUFp6bjFsWTBEUwpKSWVMbjdIVnRHcTgyNVlRRkZuak42R1pnNE5GYlVFbEFpQnR4amZUcDg1NU9hRVJrOE1kdlZJTlZERmMzU25WCmVEVFBiUkNONWZlNzJ3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
    usages:
    - digital signature
    - key encipherment
    - server auth
time="2019-03-13T20:31:12Z" level=info msg="[kubectl apply -f -]"
time="2019-03-13T20:31:12Z" level=info msg="certificatesigningrequest.certificates.k8s.io \"tls-webhook-secret-cert\" created\n"
time="2019-03-13T20:31:12Z" level=info msg="[kubectl certificate approve tls-webhook-secret-cert]"
time="2019-03-13T20:31:12Z" level=info msg="certificatesigningrequest.certificates.k8s.io \"tls-webhook-secret-cert\" approved\n"
time="2019-03-13T20:31:12Z" level=info msg="[kubectl get csr tls-webhook-secret-cert -o jsonpath='{.status.certificate}' --namespace default]"
time="2019-03-13T20:31:12Z" level=info msg="'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURSekNDQWkrZ0F3SUJBZ0lSQU5yVDFERklsMHV1VDZyWU5pL3pHNVl3RFFZSktvWklodmNOQVFFTEJRQXcKTHpFdE1Dc0dBMVVFQXhNa05qSmhNek0yTVRRdE5UZzVaUzAwWVdZekxUazBPR010T0RFM01UbGlNek16TXpsaQpNQjRYRFRFNU1ETXhNekl3TXpFeE1sb1hEVEkwTURNeE1USXdNekV4TWxvd0FEQlpNQk1HQnlxR1NNNDlBZ0VHCkNDcUdTTTQ5QXdFSEEwSUFCSkQ5dW1ybm0vR1M2cDhZbHJ0WFR1K0Nsd0NOT0VHc0M5VU4vTDRDRWFoVTlsTjcKczdYVmhuWDVMeWU0Y2wrNE5vZUdDYzNTRGdkZzlSM0NiRHpkcTlHamdnRldNSUlCVWpBTUJnTlZIUk1CQWY4RQpBakFBTUlJQlFBWURWUjBSQVFIL0JJSUJORENDQVRDQ0ZtdHlhWFJwY3kxMllXeHBaR0YwYVc5dUxXaHZiMnVDCkltdHlhWFJwY3kxMllXeHBaR0YwYVc5dUxXaHZiMnN1YTNWaVpTMXplWE4wWlcyQ0htdHlhWFJwY3kxMllXeHAKWkdGMGFXOXVMV2h2YjJzdVpHVm1ZWFZzZElJaWEzSnBkR2x6TFhaaGJHbGtZWFJwYjI0dGFHOXZheTVrWldaaApkV3gwTG5OMlk0SWlhM0pwZEdsekxYWmhiR2xrWVhScGIyNHRhRzl2YXkxa1pYQnNiM2x0Wlc1MGM0SXVhM0pwCmRHbHpMWFpoYkdsa1lYUnBiMjR0YUc5dmF5MWtaWEJzYjNsdFpXNTBjeTVyZFdKbExYTjVjM1JsYllJcWEzSnAKZEdsekxYWmhiR2xrWVhScGIyNHRhRzl2YXkxa1pYQnNiM2x0Wlc1MGN5NWtaV1poZFd4MGdpNXJjbWwwYVhNdApkbUZzYVdSaGRHbHZiaTFvYjI5ckxXUmxjR3h2ZVcxbGJuUnpMbVJsWm1GMWJIUXVjM1pqTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQnJTVDFkZXZFTUp1bjRVZVhXblpPT3F6cnJZQzFFWDJsMlJqbDNTWmN6V01UQ1hCR0UKOVhVS2Qra3hxRitiV043MWh2cXZBNVJCa1BSUkNkR2VWWjNYcFpMSE5YbWRERit4dVJBV2hOcWZISFhqQUxLSAoyY090SWtxcS9sYkxkd2w3NllkQUt3L1hTT3h1WnpHQm5xd3BwOWNvMXdMRk9Jem5iUFhCL2lISFcvMXAwb2xZCjF1Q0c5bmR1aVprL2pvL3cxbGhoN09BTE05WGVmemZSaVdqOFA1TXJhamtWNjY5b295WUhQMlFVUVpjdWNDa3UKbEdvTFMrUWxabVhKQk1iT3hLT3pyMXN4MHh4TmozMXpmOGRjakhlQjFqQkdOdENlTFd3RHdReU9ZcGlIODF6dQpzUEtBUXh4ZWlYRGdaMFZFdDRDUVV5c3lTVTA2UUVCaFFWbGYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo='"
time="2019-03-13T20:31:12Z" level=info msg="[kubectl create secret tls tls-webhook-secret --cert=server.crt --key=server-key.pem --namespace default]"
time="2019-03-13T20:31:12Z" level=info msg="secret \"tls-webhook-secret\" created\n"
time="2019-03-13T20:31:13Z" level=info msg="[kubectl apply -f -]"
time="2019-03-13T20:31:13Z" level=info msg="customresourcedefinition.apiextensions.k8s.io \"attestationauthorities.kritis.grafeas.io\" created\n"
time="2019-03-13T20:31:13Z" level=info msg="[kubectl apply -f -]"
time="2019-03-13T20:31:13Z" level=info
time="2019-03-13T20:31:13Z" level=error msg="error: error validating \"STDIN\": error validating data: [ValidationError(CustomResourceDefinition.spec.names): unknown field \"scope\" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionNames, ValidationError(CustomResourceDefinition.spec): missing required field \"scope\" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec]; if you choose to ignore these errors, turn validation off with --validate=false\n"

time="2019-03-13T20:31:13Z" level=fatal msg="exit status 1" 

I think the issue is at the end of the log (highlighted above). It is complaining the CRD is missing the required 'scope' field. Has anybody encountered this before? Are the instructions I am using current or can somebody point me to new ones? How can I get around this issue so the preinstall and postinstall pods get to the Completed state?

Thanks,

Jason 

[Colin Rice]

What version of your kubernetes are you running? I'm guessing that moving the scope field from CustomResourceDefinitionNames to CustomResourceDefinitionSpec should make this work.

--
You received this message because you are subscribed to the Google Groups "Grafeas Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grafeas-dev...@googlegroups.com.
To post to this group, send email to grafe...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grafeas-dev/1ec53f3a-a075-4f13-9240-7e0dfcf4dc02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Aysylu Greenberg]

Hi Jason,

This should have been fixed (commit). Is your repository up-to-date?

Cheers,

Aysylu

--