Rancher Does Not Allow Secrets to be Set By Default #26
Description
In the create-deployment step it attempts to set the registry secret in the kubernetes cluster:
doctl registry kubernetes-manifest --namespace standardvision-production | rancher kubectl -n standardvision-production apply -f -
The response is:
INFO[0000] Saving config to /home/circleci/.rancher/cli2.json
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret"
Name: "registry-brandnewbox", Namespace: "standardvision-production"
from server for: "STDIN": secrets "registry-brandnewbox" is forbidden: User "u-djgwvkmlqa" cannot get resource "secrets" in API group "" in the namespace "standardvision-production"
exit status 1
Exited with code exit status 1
Logging into circle instance via SSH, i can see:
$ rancher kubectl auth whoami
ATTRIBUTE VALUE
Username u-djgwvkmlqa
Groups [github_org://1711436 github_org://8620992 github_org://8932440 github_team://992367 github_team://1041562 github_team://3646451 github_team://5392190 github_team://5392380 github_team://7825707 github_team://11549990 github_team://12094133 system:authenticated system:cattle:authenticated]
Extra: principalid [github_user://880387]
Extra: requesthost [rancher2.brandnewops.com]
Extra: requesttokenid [kubeconfig-u-djgwvkmlqakgcl5]
Extra: username [willtcarey]
It's using @willtcarey as the user.
If I ask:
$ rancher kubectl auth can-i get secrets -n standardvision-production
no
So I log into rancher, and update permissions on the cluster to include "Brand New Box"... and voila!
$ rancher kubectl auth can-i get secrets -n standardvision-production
yes
It sails through.
Not sure what changed, if anything, but it's important to note that you need to give the CircleCI registry user (will) access to the cluster.