It seems jobs are not deleted when they should
The single-sign-on-create-admin-user job
, as well as single-sign-on-create-oauth2-clients
keep existing after they succeeded. They also keep existing after a new helm install started. Both these things should be disabled with:
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
but it seems like Helm ignores these hooks, or something else is going on...
I have the feeling that this leads to the field is immutable
error that can occur when you helm upgrade
sso:
single-sign-on single-sign-on FAILED rpc error: code = Unknown desc = Job.batch "single-sign-on-create-admin-user" is invalid: spec.template: Invalid value: core.PodTemplateSpec{ObjectMeta:v1.ObjectMeta{Name:"", GenerateName:"", Namespace:"", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string{"app.kubernetes.io/instance":"single-sign-on", "app.kubernetes.io/managed-by":"Tiller", "controller-uid":"d36ed2b1-fbf7-4f6b-b1b1-f8b94bd8baad", "helm.sh/chart":"single-sign-on-0.2.0", "job-name":"single-sign-on-create-admin-user"}, Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Initializers:(*v1.Initializers)(nil), Finalizers:[]string(nil), ClusterName:"", ManagedFields:[]v1.ManagedFieldsEntry(nil)}, Spec:core.PodSpec{Volumes:[]core.Volume(nil), InitContainers:[]core.Container(nil), Containers:[]core.Container{core.Container{Name:"create-admin-user", Image:"open.greenhost.net:4567/openappstack/user-panel/backend:1.2.0", Command:[]string{"/bin/bash", "-c"}, Args:[]string{"/bin/bash ./utils/create-user.bash \"$USERNAME\" \"$PASSWORD\" \"$EMAIL\" http://single-sign-on-userbackend:80 && /bin/bash ./utils/create-application.bash user-panel 'Administration interface to manage user accounts' http://single-sign-on-userbackend:80 && /bin/bash ./utils/grant-access.bash \"$USERNAME\" user-panel http://single-sign-on-userbackend:80 && /bin/bash ./utils/create-application.bash nextcloud 'Nextcloud Files offers an on-premise Universal File Access and sync platform with powerful collaboration capabilities and desktop, mobile and web interfaces.' http://single-sign-on-userbackend:80 && /bin/bash ./utils/grant-access.bash \"$USERNAME\" nextcloud http://single-sign-on-userbackend:80 && /bin/bash ./utils/create-application.bash wordpress 'WordPress website hosting.' http://single-sign-on-userbackend:80 && /bin/bash ./utils/grant-access.bash \"$USERNAME\" wordpress http://single-sign-on-userbackend:80 && /bin/bash ./utils/create-application.bash grafana 'Grafana allows you to query, visualize, alert on and understand metrics generated by OpenAppStack. It can be used to create explore and share dashboards.' http://single-sign-on-userbackend:80 && /bin/bash ./utils/grant-access.bash \"$USERNAME\" grafana http://single-sign-on-userbackend:80 && /bin/bash ./utils/create-role.bash admin http://single-sign-on-userbackend:80 && /bin/bash ./utils/assign-role.bash \"$USERNAME\" admin http://single-sign-on-userbackend:80"}, WorkingDir:"", Ports:[]core.ContainerPort(nil), EnvFrom:[]core.EnvFromSource(nil), Env:[]core.EnvVar{core.EnvVar{Name:"USERNAME", Value:"admin", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"PASSWORD", Value:"YUeVWxvbmdqFYUxXOceG", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"EMAIL", Value:"admin@oas.maartendewaard.nl", ValueFrom:(*core.EnvVarSource)(nil)}}, Resources:core.ResourceRequirements{Limits:core.ResourceList(nil), Requests:core.ResourceList(nil)}, VolumeMounts:[]core.VolumeMount(nil), VolumeDevices:[]core.VolumeDevice(nil), LivenessProbe:(*core.Probe)(nil), ReadinessProbe:(*core.Probe)(nil), Lifecycle:(*core.Lifecycle)(nil), TerminationMessagePath:"/dev/termination-log", TerminationMessagePolicy:"File", ImagePullPolicy:"Always", SecurityContext:(*core.SecurityContext)(nil), Stdin:false, StdinOnce:false, TTY:false}}, RestartPolicy:"Never", TerminationGracePeriodSeconds:(*int64)(0xc006078320), ActiveDeadlineSeconds:(*int64)(nil), DNSPolicy:"ClusterFirst", NodeSelector:map[string]string(nil), ServiceAccountName:"", AutomountServiceAccountToken:(*bool)(nil), NodeName:"", SecurityContext:(*core.PodSecurityContext)(0xc016b89180), ImagePullSecrets:[]core.LocalObjectReference(nil), Hostname:"", Subdomain:"", Affinity:(*core.Affinity)(nil), SchedulerName:"default-scheduler", Tolerations:[]core.Toleration(nil), HostAliases:[]core.HostAlias(nil), PriorityClassName:"", Priority:(*int32)(nil), PreemptionPolicy:(*core.PreemptionPolicy)(nil), DNSConfig:(*core.PodDNSConfig)(nil), ReadinessGates:[]core.PodReadinessGate(nil), RuntimeClassName:(*string)(nil), EnableServiceLinks:(*bool)(nil)}}: field is immutable && Job.batch "single-sign-on-create-oauth2-clients" is invalid: spec.template: Invalid value: core.PodTemplateSpec{ObjectMeta:v1.ObjectMeta{Name:"", GenerateName:"", Namespace:"", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string{"app.kubernetes.io/instance":"single-sign-on", "app.kubernetes.io/managed-by":"Tiller", "controller-uid":"8b33a8a8-8f32-4577-8aea-54b1c2240b41", "helm.sh/chart":"single-sign-on-0.2.0", "job-name":"single-sign-on-create-oauth2-clients"}, Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Initializers:(*v1.Initializers)(nil), Finalizers:[]string(nil), ClusterName:"", ManagedFields:[]v1.ManagedFieldsEntry(nil)}, Spec:core.PodSpec{Volumes:[]core.Volume(nil), InitContainers:[]core.Container(nil), Containers:[]core.Container{core.Container{Name:"user-panel", Image:"open.greenhost.net:4567/openappstack/user-panel/backend:1.2.0", Command:[]string{"/bin/bash", "-c"}, Args:[]string{"curl http://single-sign-on-hydra-admin:4445/clients && curl --header \"Content-Type: application/json\" \\\n --request POST \\\n --data \"{\\\"client_id\\\": \\\"$CLIENT_ID\\\",\n \\\"client_name\\\": \\\"$CLIENT_NAME\\\",\n \\\"client_secret\\\": \\\"$CLIENT_SECRET\\\",\n \\\"client_uri\\\": \\\"$CLIENT_URI\\\",\n \\\"logo_uri\\\": \\\"$CLIENT_LOGO_URI\\\",\n \\\"redirect_uris\\\": [\\\"$REDIRECT_URI\\\"],\n \\\"scope\\\": \\\"$SCOPES\\\",\n \\\"grant_types\\\": [$GRANT_TYPES\\\"\\\"],\n \\\"response_types\\\": [$RESPONSE_TYPES\\\"\\\"],\n \\\"token_endpoint_auth_method\\\": \\\"client_secret_post\\\"}\" \\\n http://single-sign-on-hydra-admin:4445/clients\n"}, WorkingDir:"", Ports:[]core.ContainerPort(nil), EnvFrom:[]core.EnvFromSource(nil), Env:[]core.EnvVar{core.EnvVar{Name:"CLIENT_ID", Value:"", ValueFrom:(*core.EnvVarSource)(0xc00c703600)}, core.EnvVar{Name:"CLIENT_SECRET", Value:"", ValueFrom:(*core.EnvVarSource)(0xc00c703660)}, core.EnvVar{Name:"CLIENT_NAME", Value:"user-panel", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"REDIRECT_URI", Value:"https://admin.oas.maartendewaard.nl/callback", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"SCOPES", Value:"openid profile email openappstack_roles", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"CLIENT_URI", Value:"https://admin.oas.maartendewaard.nl", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"CLIENT_LOGO_URI", Value:"https://admin.oas.maartendewaard.nl/favicon.ico", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"TOKEN_ENDPOINT_AUTH_METHOD", Value:"client_secret_basic", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"RESPONSE_TYPES", Value:"\"token\",", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"GRANT_TYPES", Value:"\"implicit\",", ValueFrom:(*core.EnvVarSource)(nil)}}, Resources:core.ResourceRequirements{Limits:core.ResourceList(nil), Requests:core.ResourceList(nil)}, VolumeMounts:[]core.VolumeMount(nil), VolumeDevices:[]core.VolumeDevice(nil), LivenessProbe:(*core.Probe)(nil), ReadinessProbe:(*core.Probe)(nil), Lifecycle:(*core.Lifecycle)(nil), TerminationMessagePath:"/dev/termination-log", TerminationMessagePolicy:"File", ImagePullPolicy:"Always", SecurityContext:(*core.SecurityContext)(nil), Stdin:false, StdinOnce:false, TTY:false}, core.Container{Name:"nextcloud", Image:"open.greenhost.net:4567/openappstack/user-panel/backend:1.2.0", Command:[]string{"/bin/bash", "-c"}, Args:[]string{"curl http://single-sign-on-hydra-admin:4445/clients && curl --header \"Content-Type: application/json\" \\\n --request POST \\\n --data \"{\\\"client_id\\\": \\\"$CLIENT_ID\\\",\n \\\"client_name\\\": \\\"$CLIENT_NAME\\\",\n \\\"client_secret\\\": \\\"$CLIENT_SECRET\\\",\n \\\"client_uri\\\": \\\"$CLIENT_URI\\\",\n \\\"logo_uri\\\": \\\"$CLIENT_LOGO_URI\\\",\n \\\"redirect_uris\\\": [\\\"$REDIRECT_URI\\\"],\n \\\"scope\\\": \\\"$SCOPES\\\",\n \\\"grant_types\\\": [$GRANT_TYPES\\\"\\\"],\n \\\"response_types\\\": [$RESPONSE_TYPES\\\"\\\"],\n \\\"token_endpoint_auth_method\\\": \\\"client_secret_post\\\"}\" \\\n http://single-sign-on-hydra-admin:4445/clients\n"}, WorkingDir:"", Ports:[]core.ContainerPort(nil), EnvFrom:[]core.EnvFromSource(nil), Env:[]core.EnvVar{core.EnvVar{Name:"CLIENT_ID", Value:"", ValueFrom:(*core.EnvVarSource)(0xc00c7038e0)}, core.EnvVar{Name:"CLIENT_SECRET", Value:"", ValueFrom:(*core.EnvVarSource)(0xc00c7039e0)}, core.EnvVar{Name:"CLIENT_NAME", Value:"nextcloud", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"REDIRECT_URI", Value:"https://files.oas.maartendewaard.nl/apps/sociallogin/custom_oidc/oas", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"SCOPES", Value:"openid profile email openappstack_roles", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"CLIENT_URI", Value:"https://files.oas.maartendewaard.nl", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"CLIENT_LOGO_URI", Value:"https://files.oas.maartendewaard.nl/core/img/favicon-touch.png", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"TOKEN_ENDPOINT_AUTH_METHOD", Value:"client_secret_post", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"RESPONSE_TYPES", Value:"\"code\",\"id_token\",", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"GRANT_TYPES", Value:"\"authorization_code\",\"refresh_token\",\"client_credentials\",", ValueFrom:(*core.EnvVarSource)(nil)}}, Resources:core.ResourceRequirements{Limits:core.ResourceList(nil), Requests:core.ResourceList(nil)}, VolumeMounts:[]core.VolumeMount(nil), VolumeDevices:[]core.VolumeDevice(nil), LivenessProbe:(*core.Probe)(nil), ReadinessProbe:(*core.Probe)(nil), Lifecycle:(*core.Lifecycle)(nil), TerminationMessagePath:"/dev/termination-log", TerminationMessagePolicy:"File", ImagePullPolicy:"Always", SecurityContext:(*core.SecurityContext)(nil), Stdin:false, StdinOnce:false, TTY:false}, core.Container{Name:"wordpress", Image:"open.greenhost.net:4567/openappstack/user-panel/backend:1.2.0", Command:[]string{"/bin/bash", "-c"}, Args:[]string{"curl http://single-sign-on-hydra-admin:4445/clients && curl --header \"Content-Type: application/json\" \\\n --request POST \\\n --data \"{\\\"client_id\\\": \\\"$CLIENT_ID\\\",\n \\\"client_name\\\": \\\"$CLIENT_NAME\\\",\n \\\"client_secret\\\": \\\"$CLIENT_SECRET\\\",\n \\\"client_uri\\\": \\\"$CLIENT_URI\\\",\n \\\"logo_uri\\\": \\\"$CLIENT_LOGO_URI\\\",\n \\\"redirect_uris\\\": [\\\"$REDIRECT_URI\\\"],\n \\\"scope\\\": \\\"$SCOPES\\\",\n \\\"grant_types\\\": [$GRANT_TYPES\\\"\\\"],\n \\\"response_types\\\": [$RESPONSE_TYPES\\\"\\\"],\n \\\"token_endpoint_auth_method\\\": \\\"client_secret_post\\\"}\" \\\n http://single-sign-on-hydra-admin:4445/clients\n"}, WorkingDir:"", Ports:[]core.ContainerPort(nil), EnvFrom:[]core.EnvFromSource(nil), Env:[]core.EnvVar{core.EnvVar{Name:"CLIENT_ID", Value:"", ValueFrom:(*core.EnvVarSource)(0xc00c703c20)}, core.EnvVar{Name:"CLIENT_SECRET", Value:"", ValueFrom:(*core.EnvVarSource)(0xc00c703c60)}, core.EnvVar{Name:"CLIENT_NAME", Value:"wordpress", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"REDIRECT_URI", Value:"https://www.oas.maartendewaard.nl/wp-admin/admin-ajax.php?action=openid-connect-authorize", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"SCOPES", Value:"openid profile email openappstack_roles offline_access", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"CLIENT_URI", Value:"https://www.oas.maartendewaard.nl", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"CLIENT_LOGO_URI", Value:"https://www.oas.maartendewaard.nl/wp-admin/images/wordpress-logo.svg", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"TOKEN_ENDPOINT_AUTH_METHOD", Value:"client_secret_post", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"RESPONSE_TYPES", Value:"\"code\",\"id_token\",", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"GRANT_TYPES", Value:"\"authorization_code\",\"refresh_token\",\"client_credentials\",\"implicit\",", ValueFrom:(*core.EnvVarSource)(nil)}}, Resources:core.ResourceRequirements{Limits:core.ResourceList(nil), Requests:core.ResourceList(nil)}, VolumeMounts:[]core.VolumeMount(nil), VolumeDevices:[]core.VolumeDevice(nil), LivenessProbe:(*core.Probe)(nil), ReadinessProbe:(*core.Probe)(nil), Lifecycle:(*core.Lifecycle)(nil), TerminationMessagePath:"/dev/termination-log", TerminationMessagePolicy:"File", ImagePullPolicy:"Always", SecurityContext:(*core.SecurityContext)(nil), Stdin:false, StdinOnce:false, TTY:false}, core.Container{Name:"grafana", Image:"open.greenhost.net:4567/openappstack/user-panel/backend:1.2.0", Command:[]string{"/bin/bash", "-c"}, Args:[]string{"curl http://single-sign-on-hydra-admin:4445/clients && curl --header \"Content-Type: application/json\" \\\n --request POST \\\n --data \"{\\\"client_id\\\": \\\"$CLIENT_ID\\\",\n \\\"client_name\\\": \\\"$CLIENT_NAME\\\",\n \\\"client_secret\\\": \\\"$CLIENT_SECRET\\\",\n \\\"client_uri\\\": \\\"$CLIENT_URI\\\",\n \\\"logo_uri\\\": \\\"$CLIENT_LOGO_URI\\\",\n \\\"redirect_uris\\\": [\\\"$REDIRECT_URI\\\"],\n \\\"scope\\\": \\\"$SCOPES\\\",\n \\\"grant_types\\\": [$GRANT_TYPES\\\"\\\"],\n \\\"response_types\\\": [$RESPONSE_TYPES\\\"\\\"],\n \\\"token_endpoint_auth_method\\\": \\\"client_secret_post\\\"}\" \\\n http://single-sign-on-hydra-admin:4445/clients\n"}, WorkingDir:"", Ports:[]core.ContainerPort(nil), EnvFrom:[]core.EnvFromSource(nil), Env:[]core.EnvVar{core.EnvVar{Name:"CLIENT_ID", Value:"", ValueFrom:(*core.EnvVarSource)(0xc00c703ea0)}, core.EnvVar{Name:"CLIENT_SECRET", Value:"", ValueFrom:(*core.EnvVarSource)(0xc00c703ec0)}, core.EnvVar{Name:"CLIENT_NAME", Value:"grafana", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"REDIRECT_URI", Value:"https://grafana.oas.maartendewaard.nl/login/generic_oauth", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"SCOPES", Value:"openid profile email openappstack_roles", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"CLIENT_URI", Value:"https://grafana.oas.maartendewaard.nl", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"CLIENT_LOGO_URI", Value:"https://grafana.oas.maartendewaard.nl/public/img/grafana_icon.svg", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"TOKEN_ENDPOINT_AUTH_METHOD", Value:"client_secret_post", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"RESPONSE_TYPES", Value:"\"code\",\"id_token\",", ValueFrom:(*core.EnvVarSource)(nil)}, core.EnvVar{Name:"GRANT_TYPES", Value:"\"authorization_code\",\"refresh_token\",\"client_credentials\",", ValueFrom:(*core.EnvVarSource)(nil)}}, Resources:core.ResourceRequirements{Limits:core.ResourceList(nil), Requests:core.ResourceList(nil)}, VolumeMounts:[]core.VolumeMount(nil), VolumeDevices:[]core.VolumeDevice(nil), LivenessProbe:(*core.Probe)(nil), ReadinessProbe:(*core.Probe)(nil), Lifecycle:(*core.Lifecycle)(nil), TerminationMessagePath:"/dev/termination-log", TerminationMessagePolicy:"File", ImagePullPolicy:"Always", SecurityContext:(*core.SecurityContext)(nil), Stdin:false, StdinOnce:false, TTY:false}}, RestartPolicy:"Never", TerminationGracePeriodSeconds:(*int64)(0xc000903550), ActiveDeadlineSeconds:(*int64)(nil), DNSPolicy:"ClusterFirst", NodeSelector:map[string]string(nil), ServiceAccountName:"", AutomountServiceAccountToken:(*bool)(nil), NodeName:"", SecurityContext:(*core.PodSecurityContext)(0xc003bd5110), ImagePullSecrets:[]core.LocalObjectReference(nil), Hostname:"", Subdomain:"", Affinity:(*core.Affinity)(nil), SchedulerName:"default-scheduler", Tolerations:[]core.Toleration(nil), HostAliases:[]core.HostAlias(nil), PriorityClassName:"", Priority:(*int32)(nil), PreemptionPolicy:(*core.PreemptionPolicy)(nil), DNSConfig:(*core.PodDNSConfig)(nil), ReadinessGates:[]core.PodReadinessGate(nil), RuntimeClassName:(*string)(nil), EnableServiceLinks:(*bool)(nil)}}: field is immutable 12d