Unable to pull the default Kiali token from a fresh bigbang 2.17 customer template package-strategy install
Bug
Description
Describe the problem, what were you doing when you noticed the bug?
I am unable to pull the default Kiali token from a fresh bigbang install.
Using Customer template:
$ kubectl get serviceaccount kiali-service-account -n bigbang Error from server (NotFound): serviceaccounts "kiali-service-account" not found
kubectl get secret -n kiali -o go-template='{{range $secret := .items}}{{with secret.metadata.annotations}}{{with (index . "kubernetes.io/service-account.name")}}{{if eq . "kiali-service-account"}}{{
secret.data.token | base64decode}}{{end}}{{end}}{{end}}{{end}}'
$ kubectl get events -n bigbang --sort-by='.metadata.creationTimestamp' | grep -i kiali
52m Normal info helmrelease/kiali HelmChart 'bigbang/bigbang-kiali' is not ready
52m Normal NoSourceArtifact helmchart/bigbang-kiali no artifact available for GitRepository source 'kiali'
51m Normal NewArtifact gitrepository/kiali stored artifact for commit 'Merge branch 'increase-cypress-timeouts' into 'mai...'
51m Normal ChartPackageSucceeded helmchart/bigbang-kiali packaged 'kiali' chart with version '1.77.1-bb.1'
2m4s Normal ArtifactUpToDate helmchart/bigbang-kiali artifact up-to-date with remote revision: '1.77.1-bb.1'
49m Normal info helmrelease/kiali dependencies do not meet ready condition (dependency 'bigbang/istio' is not ready), retrying in 30s
96s Normal GitOperationSucceeded gitrepository/kiali no changes since last reconcilation: observed revision '1.77.1-bb.1@sha1:feeee3f2bdb90928db02eb5760ad1d5296cf5845'
47m Normal info helmrelease/kiali dependencies do not meet ready condition (dependency 'bigbang/monitoring' is not ready), retrying in 30s
47m Normal info helmrelease/kiali Helm install has started
46m Normal info helmrelease/kiali Helm install succeeded
$ kubectl get events -n bigbang --sort-by='.metadata.creationTimestamp' | grep -i token 57m Warning PolicyViolation serviceaccount/default policy disallow-auto-mount-service-account-token/automount-service-accounts fail: validation error: Automount Kubernetes API Credentials isn't turned off. The field automountServiceAccountToken must be set to false. rule automount-service-accounts failed at path /automountServiceAccountToken/
Provide any steps possible used to reproduce the error (ideally in an isolated fashion).
$ kubectl create namespace bigbang
$ gpg --export-secret-key --armor ${fp} | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey.asc=/dev/stdin
$ kubectl create namespace flux-system
$ kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username=OBFUSCATE --docker-password=OBFUSCATE -n flux-system
$ kubectl create secret generic private-git --from-literal=username=root --from-literal=password=OBFUSCATE -n bigbang $ kubectl apply -k https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base/flux?ref=2.17.0
$ kubectl get deploy -o name -n flux-system | xargs -n1 -t kubectl rollout status -n flux-system
$ kubectl apply -f bigbang.yaml
BigBang Version
What version of BigBang were you running?
2.17.0
My current configmap.yaml in the package-strategy:
domain: bigbang.dev-01.com # Updated the TLS cert for new wildcard domain
Uncomment the following settings if using the AWS RKE2 terraform setup
istio:
ingressGateways:
public-ingressgateway:
type: "NodePort"
nodePortBase: 30000
flux: interval: 2m rollback: cleanupOnFail: false
kiali: enabled: true
istio: enabled: true
istioOperator: enabled: true
monitoring: enabled: true values: prometheus: prometheusSpec: resources: requests: cpu: 200m memory: 1Gi
loki: enabled: false strategy: scalable values: minio: enabled: true write: replicas: 1 persistence: size: 2Gi resources: limits: cpu: 200m memory: 400Mi requests: cpu: 200m memory: 400Mi read: replicas: 1 persistence: size: 2Gi resources: limits: cpu: 200m memory: 400Mi requests: cpu: 200m memory: 400Mi
promtail: enabled: false
kyverno: enabled: true
kyvernoPolicies: enabled: true values: exclude: any: # Allows k3d load balancer to bypass policies. - resources: namespaces: - istio-system names: - svclb-* policies: restrict-host-path-mount-pv: parameters: allow: - /tmp/allowed - /var/lib/rancher/k3s/storage/pvc-*
neuvector: enabled: true values: k3s: enabled: true
addons: metricsServer: enabled: auto
minioOperator: enabled: true # Minio Operator is required for Loki in default core argocd: enabled: false