This message was deleted.
# general
s
This message was deleted.
m
Hmmm, interesting. Let me take a look at the chart.
f
it's a copy of the stable datadog
m
Looking at the stable datadog template, it doesn't seem to reference
.Release.Namespace
anywhere. What's the precise command you're using to install the chart?
f
helm install --name datadog stable/datadog --tiller-namespace=kube-tools --namespace=kube-tools -f override.yaml
I have used a datadog namespace too w/o issue. I can update the chart with that key
Possible that we have (super/god) tiller in that namespace and this is tillerless
don't waste anymore time on it, I will mess with the chart.
m
Sounds good.
f
I'll let you know if I get it working.
c
@fresh-umbrella-15520 I can take a look at this, what is the helm chart version?
f
I think I got it, just running into an RBAC perms deal i GKE
c
@fresh-umbrella-15520 Oh I think I know what’s happening. What we’re doing is equivalent to
helm template
, rather than
helm install
. So if you’re expecting Tiller to do something magic then it won’t get done.
f
yeah, working through it now
c
I will be curious to see if you have feedback about how we should be presenting this to users…
f
will do. I was using helm with a
god
tiller so it could create the roles and rolebindings. that is the part I am working through now using tillerless.
c
You probably will have to do that work anyway, because they’re getting rid of Tiller 🙂
f
I got it to work!
Since I was using tiller that had a cluster admin role, I had not granted those perms to my GKE user
Copy code
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin --user [USER_ACCOUNT]
You must grant your user the ability to create roles in Kubernetes by running the following command. [USER_ACCOUNT] is the user's email address:
c
how did you figure this out @fresh-umbrella-15520? Maybe we can bake it into the status messages. 🙂
f
I was under the assumption it was running as my account since tiller was out of the picture. Then @flaky-receptionist-88878 mentioned about my email address for GKE and roles
I will try this out tomorrow on EKS, as that we are using SAML and mapping to groups/roles in k8s
c
that whole stack GKE auth stack is super confusing and secretly my mission is to make all auth errors from it, trivially debuggable.
sick!
f
I am new to GKE, so those small auth differences and I was testing on home/lab stuff.
c
Yeah, for our GKE library we have to generate a kubeconfig file that is compliant with their undocumented auth spec, and it was a total nightmare.
Very unpleasant, as there is no real way to debug it, except to read code and guess.
f
exactly, I was googling the error, but it wasn't much help