CODEWITHSUNDEEP
kubernetesknative-serving
sdicola
sdicola

Reputation: 962

Knative service with Keycloak gatekeeper sidecar

I am trying to deploy the following service:

{{- if .Values.knativeDeploy }}
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
{{- if .Values.service.name }}
  name: {{ .Values.service.name }}
{{- else }}
  name: {{ template "fullname" . }}
{{- end }}
  labels:
    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
spec:
  template:
    spec:
      containers:
      - image: quay.io/keycloak/keycloak-gatekeeper:9.0.3
        name: gatekeeper-sidecar
        ports:
        - containerPort: {{ .Values.keycloak.proxyPort }}
        env:
          - name: KEYCLOAK_CLIENT_SECRET
            valueFrom:
              secretKeyRef:
                name: {{ template "keycloakclient" . }}
                key: secret
        args:
        - --resources=uri=/*
        - --discovery-url={{ .Values.keycloak.url }}/auth/realms/{{ .Values.keycloak.realm }}
        - --client-id={{ template "keycloakclient" . }}
        - --client-secret=$(KEYCLOAK_CLIENT_SECRET)
        - --listen=0.0.0.0:{{ .Values.keycloak.proxyPort }} # listen on all interfaces
        - --enable-logging=true
        - --enable-json-logging=true
        - --upstream-url=http://127.0.0.1:{{ .Values.service.internalPort }} # To connect with the main container's port
        resources:
{{ toYaml .Values.gatekeeper.resources | indent 12 }}
      - name: {{ .Chart.Name }}
        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        env:
{{- range $pkey, $pval := .Values.env }}
        - name: {{ $pkey }}
          value: {{ quote $pval }}
{{- end }}
        envFrom:
{{ toYaml .Values.envFrom | indent 10 }}
        ports:
        - containerPort: {{ .Values.service.internalPort }}
        livenessProbe:
          httpGet:
            path: {{ .Values.probePath }}
            port: {{ .Values.service.internalPort }}
          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
          successThreshold: {{ .Values.livenessProbe.successThreshold }}
          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
        readinessProbe:
          httpGet:
            path: {{ .Values.probePath }}
            port: {{ .Values.service.internalPort }}
          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
          successThreshold: {{ .Values.readinessProbe.successThreshold }}
          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
        resources:
{{ toYaml .Values.resources | indent 12 }}
      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- end }}

Which fails with the following error:

Error from server (BadRequest): error when creating "/tmp/helm-template-workdir-290082188/jx/output/namespaces/jx-staging/env/charts/docs/templates/part0-ksvc.yaml": admission webhook "webhook.serving.knative.dev" denied the request: mutation failed: expected exactly one, got both: spec.template.spec.containers'

Now, if I read the specs (https://knative.dev/v0.15-docs/serving/getting-started-knative-app/), I can see this example:

apiVersion: serving.knative.dev/v1 # Current version of Knative
kind: Service
metadata:
  name: helloworld-go # The name of the app
  namespace: default # The namespace the app will use
spec:
  template:
    spec:
      containers:
        - image: gcr.io/knative-samples/helloworld-go # The URL to the image of the app
          env:
            - name: TARGET # The environment variable printed out by the sample app
              value: "Go Sample v1"

Which has exactly the same structure. Now, my questions are:

  1. How can I validate my yam without waiting for a deployment? Intellij has a k8n plugin, but I can't find the CRD schema for serving.knative.dev/v1 that are machine consumable. (https://knative.dev/docs/serving/spec/knative-api-specification-1.0/)
  2. Is it allowed with knative to have multiple container? (that configuration works perfectly with apiVersion: apps/v1 kind: Deployment)

Upvotes: 0

Views: 481

Answers (2)

E. Anderson
E. Anderson

Reputation: 3493

What version of Knative are you using?

Support for multiple containers was added as an alpha feature in 0.16. If you're not using 0.16 or later or don't have the alpha flag enabled, the request will probably be blocked.

There were a number of edge cases to define for multi-container support in Knative, so the default was to be conservative and only allow one container until the constraints had been explored.

Upvotes: 0

Arghya Sadhu
Arghya Sadhu

Reputation: 44569

Multi container is alpha feature in knative version 0.16. This feature need to be enabled by setting multi-container to enabled in the config-features ConfigMap. So edit the configmap using

kubectl edit cm config-features and enable that feature.

apiVersion: v1
kind: ConfigMap
metadata:
  name: config-features
  namespace: knative-serving
  labels:
    serving.knative.dev/release: devel
  annotations:
    knative.dev/example-checksum: "983ddf13"
data:
  _example: |
    ...
    # Indicates whether multi container support is enabled
    multi-container: "enabled"
    ...

Upvotes: 0

Related Questions