Comments (10)
I've spent some time creating and destroying tunnels over and over again on GCE with the inlets-operator and inletsctl, and for the moment I'm not able to reproduce the issue (yet).
The highlighted insertId
is not causing the issue I think, as it is not the instance name but rather an id generated by google for that operation. I've some successful logs with a similar id (starting with a -)
@maelvls If possible, can you share some more information about your current setup?
from inlets-operator.
I think the documentation is already correct, it is just that I forgot to RTFM 😅
gcloud projects add-iam-policy-binding --role roles/compute.admin ...
gcloud projects add-iam-policy-binding --role roles/iam.serviceAccountUser ...
Apologies for not having read the docs 😞
from inlets-operator.
@utsavanand2 can you take a look please?
from inlets-operator.
Hi Mael,
Thanks for the feedback here. I've pinged Ustav who created and maintains the GCE code. Hopefully we can get you up and running again soon.
Using the GCE provisioner, it seems like the tunnel VM sometimes never gets created, and the inlets-operator or events on the Tunnel objects do not give an indication as to what went wrong.
The GCE provisioner has worked in the past, and I'm not aware of any regression, but it doesn't mean that it couldn't have issues.
One of the things that we saw with the Azure provider was a collision on naming, so we included an additional variable in the Host ID. It may be that you've stumbled on a way to create a clashing key or a configuration that we haven't tested yet.
Alex
from inlets-operator.
I think I prefer idea 1, we deliberately wanted the provisioning loop to be as fast as possible.
Idea 1 "asynchronously": remember what the operation name is e.g. in some annotation and to use that on each controller sync when the state is "provisioning";
-
Could we use the host ID field during provisioning and then overwrite it later with the status?
-
If we can prevent invalid names being used for the "op", would that also solve the issue?
-
Were you able to get past this issue?
-
Were you reliably able to reproduce the problem you faced here? Do you know what caused the insert ID to be invalid with a - prefix?
Alex
from inlets-operator.
@jsiebens have you run into this at all?
from inlets-operator.
@jsiebens have you run into this at all?
Haven't seen that before, but I would be happy to jump in and have a closer look as soon as I can
from inlets-operator.
You are right, insertId: -gcyv1ed5hw4
was totally fine. The issue seemed to be lying somewhere else.
I recorded a screencast here. During this screencast, I discovered that I could see much more information on the operation by running
gcloud compute operations describe operation-1621584555501-5c2d2936766eb-545bd826-a4860591 --zone europe-west2-b
which would show:
endTime: '2021-05-21T01:09:22.107-07:00'
error:
errors:
- code: SERVICE_ACCOUNT_ACCESS_DENIED
message: "The user does not have access to service account '[email protected]'.\
\ User: '[email protected]'.\
\ Ask a project owner to grant you the iam.serviceAccountUser role on the service\
\ account"
httpErrorMessage: BAD REQUEST
httpErrorStatusCode: 400
id: '4416278122182923331'
insertTime: '2021-05-21T01:09:16.463-07:00'
kind: compute#operation
name: operation-1621584555501-5c2d2936766eb-545bd826-a4860591
operationType: insert
progress: 100
selfLink: https://www.googleapis.com/compute/v1/projects/jetstack-mael-valais/zones/europe-west2-b/operations/operation-1621584555501-5c2d2936766eb-545bd826-a4860591
startTime: '2021-05-21T01:09:16.464-07:00'
status: DONE
targetId: '4268845720410969156'
targetLink: https://www.googleapis.com/compute/v1/projects/jetstack-mael-valais/zones/europe-west2-b/instances/traefik-tunnel
user: [email protected]
warnings:
- code: DEPRECATED_RESOURCE_USED
data:
- key: resource_name
value: projects/debian-cloud/global/images/debian-9-stretch-v20191121
- key: replacement_suggestion
value: A suggested replacement is 'projects/debian-cloud/global/images/debian-9-stretch-v20191210'.
message: The resource 'projects/debian-cloud/global/images/debian-9-stretch-v20191121'
is deprecated. A suggested replacement is 'projects/debian-cloud/global/images/debian-9-stretch-v20191210'.
zone: https://www.googleapis.com/compute/v1/projects/jetstack-mael-valais/zones/europe-west2-b
It seems like my service account give-me-my-cluster
did not have the iam.serviceAccountUser
role.
I added the role and recreated the tunnel and the error is now gone! 🎉🎉
from inlets-operator.
Back to the Idea 1 "synchronous" above: it would be nice to have those error messages shown in the tunnel events too, E.g.,
# k describe tunnel -n kube-system traefik-tunnel
Name: traefik-tunnel
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning GCEErr 9m48s inlets-operator The user does not have access to service account '[email protected]'. User: '[email protected]'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account.
Normal Synced 14s (x11 over 3m12s) inlets-operator Tunnel synced successfully
from inlets-operator.
Let's get the documentation updated so people create the SA in the correct way?
from inlets-operator.
Related Issues (20)
- Add new Hetnzer provisioner to operator HOT 2
- Change to inlets-pro HOT 3
- tunnel-client pod won't start, "exec: "inlets-pro": executable file not found in $PATH" HOT 5
- DigitalOcean has deleted the Ubuntu 16.04 image HOT 1
- Update OS images to Ubuntu 18.04 for provisioners HOT 9
- Support custom plan for provisioner HOT 1
- Update provider pricing grid HOT 2
- Format Error: JWT Token for license-file HOT 4
- Known issue: connection refused due to IPVS HOT 5
- Getting 401 Unable to Authenticate from Digital Ocean HOT 2
- Linode provider with Arkade ingress-nginx - label too long HOT 2
- Update codegen and generate-crd script for Go modules
- Add plan to Inlets Operator Helm chart HOT 1
- Update build status image to use GitHub Actions HOT 2
- bugfix: Docs for installation overlook the access-key
- question: is the inletsProLicense field of the helm chart different than the lic key received in email HOT 6
- AWS security group lacks inbound rule for custom TCP port HOT 4
- digitalocean image ubuntu-18-04-x64 is no longer available HOT 5
- Is there a free version of inlets? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from inlets-operator.