SpinnakerAccounts Alpha Feature Doesn't Work.

[rbadillo]

We tried deploying Spinnaker using the Spinnaker Operator + Spinnaker Accounts Alpha Feature and it didn't work. This is what we saw:

• Clouddriver has the accounts profile active.
• We can see inside clouddriver the clouddriver-accounts.yml file.
• The clouddriver-accounts.yml file contains the same Spinnaker Account * the number of SpinnakerAccounts in the namespace.

We think the issue is on the creation of that particular file, because the same SpinnakerAccount is being added multiple times.

[dogonthehorizon]

@rbadillo thanks for the report, if this issue is still relevant, can you share a minimal SpinSvc and SpinAcct CRD definition that demonstrates the behavior that you saw?

[DmitrySolodovnyk]

It is relevant. I got the same behavior. When there are multiple ServiceAccount objects, Spinnaker has only one available. clouddriver-accounts.yml has multiple identical entries of the first one (alphabetically).

apiVersion: spinnaker.io/v1alpha2
kind: SpinnakerAccount
metadata:
  name: k8s-dev-01
spec: 
  type: Kubernetes
  enabled: true
  permissions:
    READ: [devops,devel]
    WRITE: [devops, devel]
  settings:
    cacheThreads: 2
    onlySpinnakerManaged: true
  kubernetes:
    kubeconfig:
      apiVersion: v1
      kind: Config
      clusters:
      - cluster:
          certificate-authority-data: LS0tL…
          server: https://1.1.1.1
        name:  k8s-dev-01
      contexts:
      - context:
          cluster:  k8s-dev-01
          user:  k8s-dev-01
        name:  k8s-dev-01
      current-context:  k8s-dev-01
      preferences: {}
      users:
      - name:  k8s-dev-01
        user:
          exec:
            apiVersion: client.authentication.k8s.io/v1beta1
            command: gke-gcloud-auth-plugin
            installHint: Install gke-gcloud-auth-plugin for use with kubectl by following
              https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
            provideClusterInfo: true
            interactiveMode: Never
---
apiVersion: spinnaker.io/v1alpha2
kind: SpinnakerAccount
metadata:
  name: k8s-stg-01
spec: 
  type: Kubernetes
  enabled: true
  permissions:
    READ: [devops]
    WRITE: [devops]
  settings:
    cacheThreads: 2
    onlySpinnakerManaged: true
  kubernetes:
    kubeconfig:
      apiVersion: v1
      kind: Config
      clusters:
      - cluster:
          certificate-authority-data: LS0tL…
          server: https://2.2.2.2
        name:  k8s-stg-01
      contexts:
      - context:
          cluster:  k8s-stg-01
          user:  k8s-stg-01
        name:  k8s-stg-01
      current-context:  k8s-stg-01
      preferences: {}
      users:
      - name:  k8s-stg-01
        user:
          exec:
            apiVersion: client.authentication.k8s.io/v1beta1
            command: gke-gcloud-auth-plugin
            installHint: Install gke-gcloud-auth-plugin for use with kubectl by following
              https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
            provideClusterInfo: true
            interactiveMode: Never

❯ k get spinnakeraccount
NAME             TYPE         LASTVALIDATED   REASON
 k8s-dev-01   Kubernetes
 k8s-stg-01   Kubernetes

❯ k get secret spin-clouddriver-files-2021370956 -o 'go-template={{index .data "clouddriver-accounts.yml"}}' | base64 -d
kubernetes:
  accounts:
  - cacheThreads: 2
    kubeconfigContents: |
      apiVersion: v1
      clusters:
      - cluster:
          certificate-authority-data: LS0tL…
          server: https://1.1.1.1
        name: k8s-dev-01
      contexts:
      - context:
          cluster: k8s--dev-01
          user: k8s-dev-01
        name: k8s-dev-01
      current-context: k8s-dev-01
      kind: Config
      preferences: {}
      users:
      - name: k8s-dev-01
        user:
          exec:
            apiVersion: client.authentication.k8s.io/v1beta1
            args: null
            command: gke-gcloud-auth-plugin
            env: null
            installHint: Install gke-gcloud-auth-plugin for use with kubectl by following
              https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
            interactiveMode: Never
            provideClusterInfo: true
    name: k8s-dev-01
    onlySpinnakerManaged: true
    providerVersion: V2
  - cacheThreads: 2
    kubeconfigContents: |
      apiVersion: v1
      clusters:
      - cluster:
          certificate-authority-data: LS0tL..
          server: https://1.1.1.1
        name: k8s-dev-01
      contexts:
      - context:
          cluster: k8s-dev-01
          user: k8s-dev-01
        name: k8s-dev-01
      current-context: k8s-dev-01
      kind: Config
      preferences: {}
      users:
      - name: k8s-dev-01
        user:
          exec:
            apiVersion: client.authentication.k8s.io/v1beta1
            args: null
            command: gke-gcloud-auth-plugin
            env: null
            installHint: Install gke-gcloud-auth-plugin for use with kubectl by following
              https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
            interactiveMode: Never
            provideClusterInfo: true
    name: k8s-dev-01
    onlySpinnakerManaged: true
    providerVersion: V2

Permissions settings seem to be ignored because clouddriver.yml doesn't have any kubernetes accounts configured.

❯ k get secret spin-clouddriver-files-2021370956 -o 'go-template={{index .data "clouddriver.yml"}}' | base64 -d
...
kubernetes:
  accounts: []
  enabled: true
...

There are no problems reported by spinnaker-operator and halyard containers, everything seems normal.