Channels
#general
Title
f
fresh-umbrella-15520
09/11/2018, 10:26 PMinteresting, as I can run the chart manually with that flag and have it go to
kube-toolsm
microscopic-florist-22719
09/11/2018, 10:26 PM
Hmmm, interesting. Let me take a look at the chart.
f
fresh-umbrella-15520
09/11/2018, 10:27 PMit's a copy of the stable datadog
m
microscopic-florist-22719
09/11/2018, 10:29 PM
Looking at the stable datadog template, it doesn't seem to reference
.Release.Namespacef
fresh-umbrella-15520
09/11/2018, 10:31 PMhelm install --name datadog stable/datadog --tiller-namespace=kube-tools --namespace=kube-tools -f override.yaml
I have used a datadog namespace too w/o issue. I can update the chart with that key
Possible that we have (super/god) tiller in that namespace and this is tillerless
don't waste anymore time on it, I will mess with the chart.
m
microscopic-florist-22719
09/11/2018, 10:34 PM
Sounds good.
f
fresh-umbrella-15520
09/11/2018, 10:35 PMI'll let you know if I get it working.
c
creamy-potato-29402
09/12/2018, 12:47 AM@fresh-umbrella-15520 I can take a look at this, what is the helm chart version?
f
fresh-umbrella-15520
09/12/2018, 12:48 AMI think I got it, just running into an RBAC perms deal i GKE
c
creamy-potato-29402
09/12/2018, 12:49 AM@fresh-umbrella-15520 Oh I think I know what’s happening. What we’re doing is equivalent to
helm templatehelm installf
fresh-umbrella-15520
09/12/2018, 12:49 AMyeah, working through it now
c
creamy-potato-29402
09/12/2018, 12:50 AMI will be curious to see if you have feedback about how we should be presenting this to users…
f
fresh-umbrella-15520
09/12/2018, 12:51 AMwill do. I was using helm with a
godc
creamy-potato-29402
09/12/2018, 12:53 AMYou probably will have to do that work anyway, because they’re getting rid of Tiller 🙂
f
fresh-umbrella-15520
09/12/2018, 12:56 AMI got it to work!
Since I was using tiller that had a cluster admin role, I had not granted those perms to my GKE user
Copy code
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin --user [USER_ACCOUNT]You must grant your user the ability to create roles in Kubernetes by running the following command. [USER_ACCOUNT] is the user's email address:
c
creamy-potato-29402
09/12/2018, 12:59 AMhow did you figure this out @fresh-umbrella-15520? Maybe we can bake it into the status messages. 🙂
f
fresh-umbrella-15520
09/12/2018, 1:01 AMI was under the assumption it was running as my account since tiller was out of the picture. Then @flaky-receptionist-88878 mentioned about my email address for GKE and roles
c
creamy-potato-29402
09/12/2018, 1:01 AMthat whole stack GKE auth stack is super confusing and secretly my mission is to make all auth errors from it, trivially debuggable.
f
fresh-umbrella-15520
09/12/2018, 1:01 AMI will try this out tomorrow on EKS, as that we are using SAML and mapping to groups/roles in k8s
c
creamy-potato-29402
09/12/2018, 1:01 AMsick!
f
fresh-umbrella-15520
09/12/2018, 1:02 AMI am new to GKE, so those small auth differences and I was testing on home/lab stuff.
c
creamy-potato-29402
09/12/2018, 1:03 AMYeah, for our GKE library we have to generate a kubeconfig file that is compliant with their undocumented auth spec, and it was a total nightmare.
Very unpleasant, as there is no real way to debug it, except to read code and guess.
f
fresh-umbrella-15520
09/12/2018, 1:04 AMexactly, I was googling the error, but it wasn't much help