kubernetes: GCP credentialprovider loops forever in case of metadata url cannot be reached
What happened:
Deploying knative on top of OpenShift in GCP (or tekton) currently doesn’t work because one of knative/pkg’s dependency (google/go-containerrigestry) imports the credentialprovider/gcp package.
At the import of this package, the init() tries to do some magic, and especially tries to contact a metadata url (http://metadata.google.internal./computeMetadata/v1/). This url (amongst others) is usually blacklisted by OpenShift or other K8s distros.
The main issue is here, as this metadata URL is being disallowed by OpenShift, this loops for ever (with backofff, but still), and thus it blocks the rest of the code execution — preventing for any knative or tekton controller to ever be started.
Related issue in tekton : https://github.com/tektoncd/pipeline/issues/1742
What you expected to happen:
Not having this loop forever and blocking the rest of the code execution.
How to reproduce it (as minimally and precisely as possible):
- Install OpenShift on GCP
- Install tekton on it (using the OpenShift Pipelines operator or directly applying the release yaml)
- Look at the controller and the resource not being created.
Anything else we need to know?:
The current fix happens in go-containerregistry by adding build tags to be able to disallow those import if needed, see https://github.com/google/go-containerregistry/pull/630. This is however just a rubber band as, this would be needed for any other dependency that imports that credentialprovider package.
Environment:
- Kubernetes version (use
kubectl version): OpenShift 4.2.x (Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.6+17b1cc6", GitCommit:"17b1cc6", GitTreeState:"clean", BuildDate:"2019-12-03T07:03:59Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}) - Cloud provider or hardware configuration: GCP
- OS (e.g:
cat /etc/os-release): N/A - Kernel (e.g.
uname -a): N/A - Install tools:
- Network plugin and version (if this is a network-related bug):
- Others:
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 3
- Comments: 34 (10 by maintainers)
Commits related to this issue
- Remove k8schain The k8schain gcp provider is causing lifecycle to hang indefinitely. We believe it is similar to https://github.com/kubernetes/kubernetes/issues/86245. Reverting out this feature unti... — committed to buildpacks/lifecycle by jabrown85 3 years ago
- Add GCP credential provider This was originally added in #540 but removed in #560. The GCP credential provider from github.com/vdemeester/k8s-pkg-credentialprovider/gcp would loop forever when the me... — committed to buildpacks/lifecycle by natalieparellano 2 years ago
Related to https://github.com/kubernetes/enhancements/pull/1406