Adding 1.28v kubevirt cluster as provider - help with tokens

[jsakil14]

I am creating a new provider , v1.28 k8s / kubevirt cluster - I need to provide the
1.URL - which am giving as the output of kubectl cluster-info and the IP with :6443 port as output
2.Provider credentials
Service account bearer token : I created a new namespace konveyor-forklift and a service account named konveyor-forklift
Did a clusterrole binding as below

kg clusterrolebindings.rbac.authorization.k8s.io konveyor-forklift-binding -o yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"konveyor-forklift-binding"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-admin"},"subjects":[{"kind":"ServiceAccount","name":"konveyor-forklift","namespace":"konveyor-forklift"}]}
  creationTimestamp: "2024-07-29T09:49:02Z"
  name: konveyor-forklift-binding
  resourceVersion: "2326597"
  uid: fe33aaeb-bc10-4001-ae03-ae3cb445926a
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: konveyor-forklift
  namespace: konveyor-forklift

3. After doing this , I did kubectl create token konveyor-forklift -n konveyor-forklift and got a token file which I am inputting into the field mentioned.
4. For certificate , I have taken the apiVersion: v1
   clusters:

• cluster:
  certificate-authority-data output of this and decoded into certificate file

This is not working and giving error:

Invalid token, a valid Kubernetes service account token is required

Can I get some guidance on what am doing wrong and what is the best way to accomplish this... @ahadas @yaacov

[jsakil14]

Could someone help on this , not sure what is wrong here...

[jsakil14]

BUMP!

[bennyz]

are you trying to add a remote k8s provider?
generally you can get the token from the secret associated with the service account:

$ kubectl -n konveyor-forklift get serviceaccount forklift-controller -o jsonpath='{.secrets[0].name}'

and then grab if from the secret

[jsakil14]

This should be run from the cluster which I am adding to the forklift? @bennyz

[jsakil14]

I dont have forklift deployed in new cluster where am adding , do I have to install to use this? I thought we just need to add it as a provider ... please correct me

Also , I remember tokens are not created automatically from 1.24 k8s , we have to generate...please link me to any repo or files which would help me to create service account... @yaacov @bennyz

[jsakil14]

Credentials
Invalid token, a valid Kubernetes service account token is required
Service account bearer token *
.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLSe0WrZHfVw7wc6afskgBwhl2HlyPtzxy9QvlNdtvlkA3j31TJaqy7KEMt4g-cY_wuo7dExYhw9WtCOses3EXPLIYKdAoJ8
A service account token, optional, used for authenticating the the connection to the API server.

[yaacov]

help me to create service account

hi, here is a short example of using service accounts
https://github.com/kubev2v/forklift-console-plugin/blob/main/docs/create-service-account-with-token.md

[jsakil14]

Thanks @yaacov again! it helped me create the tokens and able to add it...Is there any requirement for migrating vms between two kubevirt clusters other than k8s version to be 1.26+/ I have source and destination providers as kubevirt clusters and the error which am getting is for VM unmapped networks - howerver network mappings are getting created in the mapings tab - sharing logs below:

{"level":"info","ts":"2024-08-08 11:42:03.674","logger":"plan|gskzk","msg":"Reconcile started.","plan":{"name":"fedora","namespace":"konveyor-forklift"}}
{"level":"error","ts":"2024-08-08 11:42:04.002","logger":"validator|ocp","msg":"Multus network not found.","plan":"konveyor-forklift/fedora","stacktrace":"github.com/konveyor/forklift-controller/pkg/controller/plan/adapter/ocp.(*Validator).NetworksMapped\n\tpkg/controller/plan/adapter/ocp/validator.go:177\ngithub.com/konveyor/forklift-controller/pkg/controller/plan.(*Reconciler).validateVM\n\tpkg/controller/plan/validation.go:498\ngithub.com/konveyor/forklift-controller/pkg/controller/plan.(*Reconciler).validate\n\tpkg/controller/plan/validation.go:141\ngithub.com/konveyor/forklift-controller/pkg/controller/plan.Reconciler.Reconcile\n\tpkg/controller/plan/controller.go:211\ngithub.com/konveyor/forklift-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\tvendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:119\ngithub.com/konveyor/forklift-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tvendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:316\ngithub.com/konveyor/forklift-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tvendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:266\ngithub.com/konveyor/forklift-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tvendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:227"}
{"level":"info","ts":"2024-08-08 11:42:04.013","logger":"validator|ocp","msg":"Not PVC or DataVolume, skipping volume...","plan":"konveyor-forklift/fedora","volume":"containerdisk"}
{"level":"info","ts":"2024-08-08 11:42:04.013","logger":"validator|ocp","msg":"Not PVC or DataVolume, skipping volume...","plan":"konveyor-forklift/fedora","volume":"clouddisk"}
{"level":"info","ts":"2024-08-08 11:42:04.069","logger":"plan|gskzk","msg":"Condition added.","plan":{"name":"fedora","namespace":"konveyor-forklift"},"condition":{"type":"VMNetworksNotMapped","status":"True","reason":"NotValid","category":"Critical","message":"VM has unmapped networks.","lastTransitionTime":null,"items":[" id:ba3d2c2a-db90-4235-8c7b-2ec85a3c5ba4 name:'vm-fedora-05' "]}}
{"level":"debug","ts":"2024-08-08 11:42:04.069","logger":"events","msg":"VM has unmapped networks.","type":"Warning","object":{"kind":"Plan","namespace":"konveyor-forklift","name":"fedora","uid":"b8deb00c-3410-4a08-bde1-a83c702b75f8","apiVersion":"forklift.konveyor.io/v1beta1","resourceVersion":"153069458"},"reason":"VMNetworksNotMapped"}
{"level":"info","ts":"2024-08-08 11:42:04.077","logger":"plan|gskzk","msg":"Reconcile ended.","plan":{"name":"fedora","namespace":"konveyor-forklift"},"reQ":0}
{"level":"info","ts":"2024-08-08 11:42:04.077","logger":"plan|bsjsx","msg":"Reconcile started.","plan":{"name":"fedora","namespace":"konveyor-forklift"}}
{"level":"error","ts":"2024-08-08 11:42:04.097","logger":"validator|ocp","msg":"Multus network not found.","plan":"konveyor-forklift/fedora","stacktrace":"github.com/konveyor/forklift-controller/pkg/controller/plan/adapter/ocp.(*Validator).NetworksMapped\n\tpkg/controller/plan/adapter/ocp/validator.go:177\ngithub.com/konveyor/forklift-controller/pkg/controller/plan.(*Reconciler).validateVM\n\tpkg/controller/plan/validation.go:498\ngithub.com/konveyor/forklift-controller/pkg/controller/plan.(*Reconciler).validate\n\tpkg/controller/plan/validation.go:141\ngithub.com/konveyor/forklift-controller/pkg/controller/plan.Reconciler.Reconcile\n\tpkg/controller/plan/controller.go:211\ngithub.com/konveyor/forklift-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\tvendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:119\ngithub.com/konveyor/forklift-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tvendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:316\ngithub.com/konveyor/forklift-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tvendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:266\ngithub.com/konveyor/forklift-controller/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tvendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:227"}
{"level":"info","ts":"2024-08-08 11:42:04.109","logger":"validator|ocp","msg":"Not PVC or DataVolume, skipping volume...","plan":"konveyor-forklift/fedora","volume":"containerdisk"}
{"level":"info","ts":"2024-08-08 11:42:04.109","logger":"validator|ocp","msg":"Not PVC or DataVolume, skipping volume...","plan":"konveyor-forklift/fedora","volume":"clouddisk"}
{"level":"info","ts":"2024-08-08 11:42:04.273","logger":"plan|bsjsx","msg":"Reconcile ended.","plan":{"name":"fedora","namespace":"konveyor-forklift"},"reQ":0}

Adding to this : Do we have a requirement to have the vms in same namespace i.e konveyor-forklift?
Since , the NADs are from default ns , I think this is the reason , but it is still not clear.. @ahadas

[jsakil14]

help me to create service account

hi, here is a short example of using service accounts https://github.com/kubev2v/forklift-console-plugin/blob/main/docs/create-service-account-with-token.md

Also , can we be specific

1. about the namespace: whethere default or konveyor-forklift for service account
2. Role: it should be cluster-admin or something less?

Think this is where am running into issues with the network attachment definitions...#976 (comment)

For forklift to operate without issues, do we have to use default ns for creating service accounts or konveyor-forklift?

[jsakil14]

Still no luck , followed below:

export SERVICE_ACCOUNT=forklift-user
export NAMESPACE=default

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${SERVICE_ACCOUNT}
  namespace: ${NAMESPACE}
automountServiceAccountToken: true
EOF

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: ${SERVICE_ACCOUNT}
  namespace: ${NAMESPACE}
  annotations:
    kubernetes.io/service-account.name: ${SERVICE_ACCOUNT}
type: kubernetes.io/service-account-token
EOF

kubectl create clusterrolebinding ${SERVICE_ACCOUNT}-forklift-user --clusterrole=cluster-admin --serviceaccount=${NAMESPACE}:${SERVICE_ACCOUNT}

export TOKEN=$(kubectl get secret ${SERVICE_ACCOUNT} -n ${NAMESPACE} -o=jsonpath={.data.token} | base64 -d)

Also , able to query the APIs for cluster details which works! But when am trying to add the cluster to provider it is still failing invalid secret....

Also , for the URL am providing the link from output of kubectl cluster-info , dont know what is wrong...

[jsakil14]

'{"level":"debug","ts":"2024-05-27 14:18:24.953","logger":"events","msg":"Map.Network does not have Ready condition.","type":"Warning","object":{"kind":"Plan","namespace":"konveyor-forklift","name":"kubevirttovmware","uid":"57c1580b-72c6-4cf4-9982-5fcb937174bf","apiVersion":"forklift.konveyor.io/v1beta1","resourceVersion":"80317515"},"reason":"NetworkMapNotReady"}
{"level":"debug","ts":"2024-05-27 14:18:24.953","logger":"events","msg":"VM has unmapped networks.","type":"Warning","object":{"kind":"Plan","namespace":"konveyor-forklift","name":"kubevirttovmware","uid":"57c1580b-72c6-4cf4-9982-5fcb937174bf","apiVersion":"forklift.konveyor.io/v1beta1","resourceVersion":"80317515"},"reason":"VMNetworksNotMapped"}
{"level":"debug","ts":"2024-05-27 14:18:24.953","logger":"events","msg":"VM has unmapped storage.","type":"Warning","object":{"kind":"Plan","namespace":"konveyor-forklift","name":"kubevirttovmware","uid":"57c1580b-72c6-4cf4-9982-5fcb937174bf","apiVersion":"forklift.konveyor.io/v1beta1","resourceVersion":"80317515"},"reason":"VMStorageNotMapped"}