How to debug a crossplane provider

crossplane kubernetes troubleshooting debug

4 min read | by Jordi Prats

To be able to setup a crossplane provider there are some pieces that need to be aligned to be able to use it. For example, if we want to setup the AWS provider using an IAM Role for ServiceAccount. If something is missaligned, we might end up with an error while creating resources that doesn't really clarify what's the actual error:

$ kubectl describe bucket.s3.aws.crossplane.io/test-bucket Name: test-bucket Namespace:  Labels: <none> Annotations: crossplane.io/external-name: pet2cattle-demo API Version: s3.aws.crossplane.io/v1beta1 Kind: Bucket Metadata: (...) Spec: (...)  Provider Config Ref:  Name: aws-provider Status:  At Provider:  Arn:   Conditions:  Last Transition Time: 2022-02-22T21:43:23Z  Message: observe failed: failed to query Bucket: api error MovedPermanently: Moved Permanently  Reason: ReconcileError  Status: False  Type: Synced Events:  Type Reason Age From Message  ---- ------ ---- ---- -------  Warning CannotObserveExternalResource 7s (x6 over 36s) managed/bucket.s3.aws.crossplane.io failed to query Bucket: api error MovedPermanently: Moved Permanently

Assuming we have the following configuration for the AWS provider:

apiVersion: pkg.crossplane.io/v1alpha1 kind: ControllerConfig metadata:  name: aws-config spec:  podSecurityContext:  fsGroup: 2000 --- apiVersion: pkg.crossplane.io/v1 kind: Provider metadata:  name: provider-aws spec:  package: crossplane/provider-aws:v0.24.1  controllerConfigRef:  name: aws-config --- apiVersion: aws.crossplane.io/v1beta1 kind: ProviderConfig metadata:  name: aws-provider spec:  credentials:  source: InjectedIdentity

What we can do is run a shell on the AWS provider pod to check for the processes' command-line arguments:

$ kubectl get pods NAME READY STATUS RESTARTS AGE crossplane-c7b774b95-t8t6n 1/1 Running 0 6h31m crossplane-rbac-manager-6cff7fbf67-nz7bb 1/1 Running 0 6h31m provider-aws-f78664a342f1-575cccfd-g629p 1/1 Running 0 8m21s $ kubectl exec -it provider-aws-f78664a342f1-575cccfd-g629p -- sh / $ ps PID USER TIME COMMAND  1 2000 1:14 crossplane-aws-provider  17 2000 0:00 sh  24 2000 0:00 ps / $ crossplane-aws-provider --help usage: crossplane-aws-provider [<flags>] AWS support for Crossplane. Flags:  --help Show context-sensitive help (also try --help-long and --help-man).  -d, --debug Run with debug logging.  -s, --sync=1h Sync interval controls how often all resources will be double checked for drift.  --poll=1m Poll interval controls how often an individual resource should be checked for drift.  -l, --leader-election Use leader election for the conroller manager. / $

Since the provider's deployment is managed by the crossplane controller we won't be able to patch it using neither kubectl edit nor kubectl patch. Instead, we can use the ControllerConfig. We can use spec.args to add a -debug flag:

apiVersion: pkg.crossplane.io/v1alpha1 kind: ControllerConfig metadata:  name: aws-config spec:  podSecurityContext:  fsGroup: 2000  args:  - '--debug'

If we check for the container's logs we'll be able to see more output but it might not be enough to understand the problem:

$ kubectl logs provider-aws-f78664a342f1-68999bf77b-xg7pt -f (...) 2022-02-22T22:26:19.457Z DEBUG provider-aws Reconciling {"controller": "managed/bucket.s3.aws.crossplane.io", "request": "/test-bucket"} 2022-02-22T22:26:19.565Z DEBUG provider-aws Cannot observe external resource {"controller": "managed/bucket.s3.aws.crossplane.io", "request": "/test-bucket", "uid": "2e5c0379-ce37-4546-89f1-16a833808ecc", "version": "145001855", "external-name": "pet2cattle-demo", "error": "failed to query Bucket: api error BadRequest: Bad Request", "errorVerbose": "api error BadRequest: Bad Request\nfailed to query Bucket\ngithub.com/crossplane/provider-aws/pkg/clients.Wrap\n\t/home/runner/work/provider-aws/provider-aws/pkg/clients/aws.go:976\ngithub.com/crossplane/provider-aws/pkg/controller/s3.(*external).Observe\n\t/home/runner/work/provider-aws/provider-aws/pkg/controller/s3/bucket.go:108\ngithub.com/crossplane/crossplane-runtime/pkg/reconciler/managed.(*Reconciler).Reconcile\n\t/home/runner/work/provider-aws/provider-aws/vendor/github.com/crossplane/crossplane-runtime/pkg/reconciler/managed/reconciler.go:681\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/work/provider-aws/provider-aws/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:298\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/work/provider-aws/provider-aws/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:253\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/work/provider-aws/provider-aws/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:214\nruntime.goexit\n\t/opt/hostedtoolcache/go/1.17.6/x64/src/runtime/asm_amd64.s:1581"} 2022-02-22T22:26:19.568Z DEBUG controller-runtime.manager.events Warning {"object": {"kind":"Bucket","name":"test-bucket","uid":"2e5c0379-ce37-4546-89f1-16a833808ecc","apiVersion":"s3.aws.crossplane.io/v1beta1","resourceVersion":"145001855"}, "reason": "CannotObserveExternalResource", "message": "failed to query Bucket: api error BadRequest: Bad Request"} (...)

We can also set spec.securityContext.runAsUser to 0 to be able to install the AWS cli on the container to get the actual error. That would look like this:

apiVersion: pkg.crossplane.io/v1alpha1 kind: ControllerConfig metadata:  name: aws-config spec:  podSecurityContext:  fsGroup: 2000  args:  - '--debug'  securityContext:  runAsUser: 0

Once the provider's pod have been refreshed we can spawn a shell on it to install awscli as follows:

$ kubectl exec -it provider-aws-f78664a342f1-5bb5d9f9d8-ch2kv -- sh  / # apk --no-cache add python3 py3-pip; pip3 install --upgrade pip; pip3 install --no-cache-dir awscli; aws s3 ls (...) An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity

This error might better point us on the right direction to fix whatever is causing it

Posted on 23/02/2022

Categories