root-dependency / avoid kube-job (Cluster)Role/(Cluster)RoleBinding names collisions
When updating sylva-units (e.g. apply.sh), the ServiceAccount, Role, RoleBinding, ClusterRole and ClusterRoleBinding for the root-dependency-<n+1> Kustomization is the same as the one for the root-dependency-<n> Kustomization. Since the latter is being removed at some point during the update, there are cases where the root-dependency-<n+1> Kustomization isn't functional .
Example logs of the root-dependency script:
│ kustomization.kustomize.toolkit.fluxcd.io/capi condition met │
│ kustomization.kustomize.toolkit.fluxcd.io/capi-providers-pivot-ready condition met │
│ kustomization.kustomize.toolkit.fluxcd.io/capi-rancher-import condition met │
│ W0618 11:22:16.093722 7 reflector.go:539] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: failed to list *unstructured.Unstructured: kustomizations.kustomize.toolkit.fluxcd.io "capo" is forbidden: User "system:serviceaccount │
│ E0618 11:22:16.093824 7 reflector.go:147] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: Failed to watch *unstructured.Unstructured: failed to list *unstructured.Unstructured: kustomizations.kustomize.toolkit.fluxcd.io "cap │
│ W0618 11:22:17.590143 7 reflector.go:539] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: failed to list *unstructured.Unstructured: kustomizations.kustomize.toolkit.fluxcd.io "capo" is forbidden: User "system:serviceaccount │
│ E0618 11:22:17.590179 7 reflector.go:147] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: Failed to watch *unstructured.Unstructured: failed to list *unstructured.Unstructured: kustomizations.kustomize.toolkit.fluxcd.io "cap │
│ W0618 11:22:20.731956 7 reflector.go:539] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: failed to list *unstructured.Unstructured: kustomizations.kustomize.toolkit.fluxcd.io "capo" is forbidden: User "system:serviceaccount │
│ E0618 11:22:20.731998 7 reflector.go:147] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: Failed to watch *unstructured.Unstructured: failed to list *unstructured.Unstructured: kustomizations.kustomize.toolkit.fluxcd.io "cap │
│ W0618 11:22:26.535794 7 reflector.go:539] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: failed to list *unstructured.Unstructured: kustomizations.kustomize.toolkit.fluxcd.io "capo" is forbidden: User "system:serviceaccount │
│ E0618 11:22:26.535845 7 reflector.go:147] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: Failed to watch *unstructured.Unstructured: failed to list *unstructured.Unstructured: kustomizations.kustomize.toolkit.fluxcd.io "cap │
│ W0618 11:22:33.259054 7 reflector.go:539] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: failed to list *unstructured.Unstructured: kustomizations.kustomize.toolkit.fluxcd.io "capo" is forbidden: User "system:serviceaccount │
│ E0618 11:22:33.259088 7 reflector.go:147] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: Failed to watch *unstructured.Unstructured: failed to list *unstructured.Unstructured: kustomizations.kustomize.toolkit.fluxcd.io "cap │
│ W0618 11:22:55.528834 7 reflector.go:539] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: failed to list *unstructured.Unstructured: kustomizations.kustomize.toolkit.fluxcd.io "capo" is forbidden: User "system:serviceaccount │
│ E0618 11:22:55.528877 7 reflector.go:147] vendor/k8s.io/client-go/tools/watch/informerwatcher.go:146: Failed to watch *unstructured.Unstructured: failed to list *unstructured.Unstructured: kustomizations.kustomize.toolkit.fluxcd.io "cap │
│ timed out waiting for the condition on kustomizations/capo │
│ timed out waiting for the condition on kustomizations/capo-cloud-config │
│ timed out waiting for the condition on kustomizations/capo-cluster-resources But this issue can trigger many different errors.
Those errors heal by themselves since the root-dependency-<n+1> Kustomization eventually gets a periodic reconciliation, but it may take a significant time.
Edited by Thomas Morin