https://pulumi.com logo
f

fresh-umbrella-15520

09/11/2018, 10:26 PM
interesting, as I can run the chart manually with that flag and have it go to
kube-tools
m

microscopic-florist-22719

09/11/2018, 10:26 PM
Hmmm, interesting. Let me take a look at the chart.
f

fresh-umbrella-15520

09/11/2018, 10:27 PM
it's a copy of the stable datadog
m

microscopic-florist-22719

09/11/2018, 10:29 PM
Looking at the stable datadog template, it doesn't seem to reference
.Release.Namespace
anywhere. What's the precise command you're using to install the chart?
f

fresh-umbrella-15520

09/11/2018, 10:31 PM
helm install --name datadog stable/datadog --tiller-namespace=kube-tools --namespace=kube-tools -f override.yaml
I have used a datadog namespace too w/o issue. I can update the chart with that key
Possible that we have (super/god) tiller in that namespace and this is tillerless
don't waste anymore time on it, I will mess with the chart.
m

microscopic-florist-22719

09/11/2018, 10:34 PM
Sounds good.
f

fresh-umbrella-15520

09/11/2018, 10:35 PM
I'll let you know if I get it working.
c

creamy-potato-29402

09/12/2018, 12:47 AM
@fresh-umbrella-15520 I can take a look at this, what is the helm chart version?
f

fresh-umbrella-15520

09/12/2018, 12:48 AM
I think I got it, just running into an RBAC perms deal i GKE
c

creamy-potato-29402

09/12/2018, 12:49 AM
@fresh-umbrella-15520 Oh I think I know what’s happening. What we’re doing is equivalent to
helm template
, rather than
helm install
. So if you’re expecting Tiller to do something magic then it won’t get done.
f

fresh-umbrella-15520

09/12/2018, 12:49 AM
yeah, working through it now
c

creamy-potato-29402

09/12/2018, 12:50 AM
I will be curious to see if you have feedback about how we should be presenting this to users…
f

fresh-umbrella-15520

09/12/2018, 12:51 AM
will do. I was using helm with a
god
tiller so it could create the roles and rolebindings. that is the part I am working through now using tillerless.
c

creamy-potato-29402

09/12/2018, 12:53 AM
You probably will have to do that work anyway, because they’re getting rid of Tiller 🙂
f

fresh-umbrella-15520

09/12/2018, 12:56 AM
I got it to work!
Since I was using tiller that had a cluster admin role, I had not granted those perms to my GKE user
Copy code
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin --user [USER_ACCOUNT]
You must grant your user the ability to create roles in Kubernetes by running the following command. [USER_ACCOUNT] is the user's email address:
c

creamy-potato-29402

09/12/2018, 12:59 AM
how did you figure this out @fresh-umbrella-15520? Maybe we can bake it into the status messages. 🙂
f

fresh-umbrella-15520

09/12/2018, 1:01 AM
I was under the assumption it was running as my account since tiller was out of the picture. Then @flaky-receptionist-88878 mentioned about my email address for GKE and roles
c

creamy-potato-29402

09/12/2018, 1:01 AM
that whole stack GKE auth stack is super confusing and secretly my mission is to make all auth errors from it, trivially debuggable.
f

fresh-umbrella-15520

09/12/2018, 1:01 AM
I will try this out tomorrow on EKS, as that we are using SAML and mapping to groups/roles in k8s
c

creamy-potato-29402

09/12/2018, 1:01 AM
sick!
f

fresh-umbrella-15520

09/12/2018, 1:02 AM
I am new to GKE, so those small auth differences and I was testing on home/lab stuff.
c

creamy-potato-29402

09/12/2018, 1:03 AM
Yeah, for our GKE library we have to generate a kubeconfig file that is compliant with their undocumented auth spec, and it was a total nightmare.
Very unpleasant, as there is no real way to debug it, except to read code and guess.
f

fresh-umbrella-15520

09/12/2018, 1:04 AM
exactly, I was googling the error, but it wasn't much help