Default blacklist seems to block everything

[pieterlange]

It took me far too long to figure out the default blacklist (or absence of) drops all resources from the git repo.

Only after setting BLACKLIST_PATH to /dev/null did i see my resources get picked up by kube-applier.

Pod logs:

2017/04/21 15:09:43 Waiting for directory at /k8s/resources/...
2017/04/21 15:09:44 Found directory at /k8s/resources/
2017/04/21 15:09:44 Launching webserver
2017/04/21 15:09:49 Most recent commit hash is 924ad559c609242e3eb7e2af3ba74e0d54865032 (previously was ), queueing run.
2017/04/21 15:09:49 Run queued.
2017/04/21 15:09:49 Started apply run at 2017-04-21 15:09:49.635637285 +0000 UTC
2017/04/21 15:09:49 Dropping /k8s/resources/.git from applylist
2017/04/21 15:09:49 Adding /k8s/resources/debugger-rc.yaml to applylist
2017/04/21 15:09:49 Applying file /k8s/resources/debugger-rc.yaml
2017/04/21 15:09:49 kubectl apply -f /k8s/resources/debugger-rc.yaml
replicationcontroller "debugger" configured
2017/04/21 15:09:49 Finished apply run at 2017-04-21 15:09:49.977621347 +0000 UTC
2017/04/21 15:14:44 Full run interval (5m0s) reached, queueing run.
2017/04/21 15:14:44 Run queued.
2017/04/21 15:14:44 Started apply run at 2017-04-21 15:14:44.634029267 +0000 UTC
2017/04/21 15:14:44 Dropping /k8s/resources/.git from applylist
2017/04/21 15:14:44 Adding /k8s/resources/debugger-rc.yaml to applylist
2017/04/21 15:14:44 Applying file /k8s/resources/debugger-rc.yaml
2017/04/21 15:14:45 kubectl apply -f /k8s/resources/debugger-rc.yaml
replicationcontroller "debugger" configured
2017/04/21 15:14:45 Finished apply run at 2017-04-21 15:14:45.042212334 +0000 UTC
2017/04/21 15:14:49 Most recent commit hash is e8fc300cebcb6422be643a207298261aec4d6eed (previously was 924ad559c609242e3eb7e2af3ba74e0d54865032), queueing run.
2017/04/21 15:14:49 Run queued.
2017/04/21 15:14:49 Started apply run at 2017-04-21 15:14:49.634296432 +0000 UTC
2017/04/21 15:14:49 Dropping /k8s/resources/.git from applylist
2017/04/21 15:14:49 Adding /k8s/resources/debugger-rc.yaml to applylist
2017/04/21 15:14:49 Applying file /k8s/resources/debugger-rc.yaml
2017/04/21 15:14:49 kubectl apply -f /k8s/resources/debugger-rc.yaml
error: the namespace from the provided object "staging" does not match the namespace "kube-system". You must pass '--namespace=staging' to perform this operation.

The last entry shows me updating the debugger-rc.yaml file with an explicit namespace ("staging") (#5)

[pieterlange]

Before setting BLACKLIST_PATH to /dev/null the resource would simply be skipped. Eg these lines would not be logged:

2017/04/21 15:09:49 Dropping /k8s/resources/.git from applylist
2017/04/21 15:09:49 Adding /k8s/resources/debugger-rc.yaml to applylist
2017/04/21 15:09:49 Applying file /k8s/resources/debugger-rc.yaml
2017/04/21 15:09:49 kubectl apply -f /k8s/resources/debugger-rc.yaml
replicationcontroller "debugger" configured

The lines with Adding and Dropping are debug logs i added in the applylist factory.

[gregory-lyons]

Is this happening even if you do not specify BLACKLIST_PATH at all?

Might be helpful if you can post your kube-applier deployment spec file

[pieterlange]

This was happening without specifying the BLACKLIST_PATH variable (i hadn't come so far evaluating the project yet).

Setting it to /dev/null was my workaround. I could probably have been clearer on that. :-)

My deployment file:

  apiVersion: "extensions/v1beta1"
  kind: "Deployment"
  metadata:
    name: "kube-applier"
    namespace: "kube-system"
  spec:
    replicas: 1
    template:
      metadata:
        labels:
          app: "kube-applier"
      spec:
        containers:
          - name: "kube-applier"
            command:
              - "/kube-applier"
            env:
              - name: "REPO_PATH"
                value: "/k8s/resources/"
              - name: "LISTEN_PORT"
                value: "2020"
              - name: "BLACKLIST_PATH"
                value: "/dev/null"
            image: "kube-applier:latest"
            ports:
              - containerPort: 2020
            volumeMounts:
              - name: "git-repo"
                mountPath: "/k8s"
          - name: "git-sync"
            securityContext:
              runAsUser: 0
            command:
              - "/git-sync"
              - "--branch=dta"
              - "--wait=60"
            env:
              - name: "GIT_SYNC_REPO"
                value: "git@private-repo:infra/kubernetes-resources.git"
              - name: "GIT_SYNC_DEST"
                value: "resources"
              - name: "GIT_SYNC_SSH"
                value: "true"
            image: "gcr.io/google_containers/git-sync:v2.0.4"
            ports:
              - containerPort: 2020
            volumeMounts:
              - name: "git-repo"
                mountPath: "/git"
              - name: sshkey
                mountPath: /etc/git-secret/
        volumes:
          - name: "git-repo"
            emptyDir: {}
          - name: sshkey
            secret:
              defaultMode: 0400
              secretName: kube-applier-ssh

I should note using the kubernetes git-sync as sidecar is currently not secure in a context like this. (kubernetes/git-sync#58)

[gregory-lyons]

@pieterlange sorry I'm just getting back to this quite a long time later. did you ever resolve this issue or is it still causing problems for you?

[gregory-lyons]

It seems you are no longer using the project as of #13 (comment)

I am closing for now as but will re-open if others report the same issue.