Error "Unable to find a checksum" occurs if install binary only
wellic opened this issue · comments
Issue occurs:
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Unable to find a checksum for file 'kubectl' in 'https://cdn.dl.k8s.io/release/v1.28.1/bin/linux/amd64/kubectl.sha512'"}
In the new release 23.0.0+1.28.1
In previous release 22.0.1+1.27.4 issue absent.
Also issue absent if kubectl_download_filetype: archive
I've tested in Ubuntu and Debian.
Step To Reproduce:
- Run:
ansible-galaxy role install githubixx.kubectl- Create file
test.yaml:
- name: Install kubectl with githubixx.kubectl
hosts: localhost
connection: local
tasks:
- name: Install kubectl with githubixx.kubectl
include_role:
name: githubixx.kubectl
vars:.
kubectl_download_filetype: binary- Run:
ansible-playbook test.yamlYou will get
ASK [githubixx.kubectl : Download kubectl binary] ************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Unable to find a checksum for file 'kubectl' in 'https://cdn.dl.k8s.io/release/v1.28.1/bin/linux/amd64/kubectl.sha512'"}
That's strange. I always test changes with the provided Molecule tests and with them everything is running fine with binary and archive e.g.
...
TASK [Include kubectl role] ****************************************************
TASK [githubixx.kubectl : Include tasks based on download filetype] ************
included: /opt/scripts/k8s_cluster/internal/roles/githubixx.kubectl/tasks/setup-binary.yml for test-kubectl-debian11, test-kubectl-debian12
TASK [githubixx.kubectl : Download kubectl binary] *****************************
changed: [test-kubectl-debian11]
changed: [test-kubectl-debian12]
TASK [githubixx.kubectl : Copy kubectl binary to destination directory] ********
changed: [test-kubectl-debian12] => (item=kubectl)
changed: [test-kubectl-debian11] => (item=kubectl)
PLAY RECAP *********************************************************************
test-kubectl-2004 : ok=5 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test-kubectl-2204 : ok=5 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test-kubectl-debian11 : ok=4 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test-kubectl-debian12 : ok=4 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
docker exec -it test-kubectl-debian12 kubectl version --client=true
Client Version: v1.28.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
And also molecule verify is running without issues:
PLAY [Verify setup] ************************************************************
TASK [Gathering Facts] *********************************************************
ok: [test-kubectl-2204]
ok: [test-kubectl-debian11]
ok: [test-kubectl-2004]
ok: [test-kubectl-debian12]
TASK [Execute kubectl version to capture output] *******************************
ok: [test-kubectl-2004]
ok: [test-kubectl-2204]
ok: [test-kubectl-debian12]
ok: [test-kubectl-debian11]
TASK [Ensure kubectl version output contains correct version string] ***********
ok: [test-kubectl-2004] => {
"changed": false,
"msg": "All assertions passed"
}
ok: [test-kubectl-2204] => {
"changed": false,
"msg": "All assertions passed"
}
ok: [test-kubectl-debian11] => {
"changed": false,
"msg": "All assertions passed"
}
ok: [test-kubectl-debian12] => {
"changed": false,
"msg": "All assertions passed"
}
PLAY RECAP *********************************************************************
test-kubectl-2004 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test-kubectl-2204 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test-kubectl-debian11 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test-kubectl-debian12 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
But you can try to download https://cdn.dl.k8s.io/release/v1.28.1/bin/linux/amd64/kubectl.sha512 . That should give you the hash 33cf3f6e37bcee4dff7ce14ab933c605d07353d4e31446dd2b52c3f05e0b150b60e531f6069f112d8a76331322a72b593537531e62104cfc7c70cb03d46f76b3. Then set
kubectl_checksum_binary: "33cf3f6e37bcee4dff7ce14ab933c605d07353d4e31446dd2b52c3f05e0b150b60e531f6069f112d8a76331322a72b593537531e62104cfc7c70cb03d46f76b3"
Maybe that helps.
I've tried locally (1), in docker (2), and in my gitlab ci/cd and I got the same results with this issue.
Curl returned the correct sha code but Ansible did not.
I've fixed it temporarily now - I set kubectl_download_filetype= archive in task ansible.
I've tested in Ubuntu 20.04, 22.04, Debian 11.
But I have not problem with the previous release.
I suppose that the issue has something to do with the fact that sha512 is specified by a link and not a number
I have the same problem:
Local machine: MAC
Remote machine: Debian
With filetype binary
TASK [kubectl : Download kubectl binary] ********************************************************************************************************************************
fatal: [root@192.168.1.30]: FAILED! => {"changed": false, "msg": "Unable to find a checksum for file 'kubectl' in 'https://cdn.dl.k8s.io/release/v1.28.1/bin/linux/amd64/kubectl.sha512'"}
With filetype binary with updated checksum 33cf3f6e37bcee4dff7ce14ab933c605d07353d4e31446dd2b52c3f05e0b150b60e531f6069f112d8a76331322a72b593537531e62104cfc7c70cb03d46f76b3
TASK [kubectl : Download kubectl binary] ********************************************************************************************************************************
fatal: [root@192.168.1.30]: FAILED! => {"changed": false, "checksum_dest": null, "checksum_src": null, "dest": "/var/folders/r9/w6mgscgj4hqc0fb_y9rrtd_r0000gn/T/", "elapsed": 0, "msg": "The checksum parameter has to be in format <algorithm>:<checksum>", "url": "https://cdn.dl.k8s.io/release/v1.28.1/bin/linux/amd64/kubectl"}
With filetype archive
TASK [kubectl : Download kubectl archive] *******************************************************************************************************************************
fatal: [root@192.168.1.30]: FAILED! => {"changed": false, "checksum_dest": null, "checksum_src": "cae7df039d1f997496687674979de18a84cf753f", "dest": "/var/folders/r9/w6mgscgj4hqc0fb_y9rrtd_r0000gn/T/", "elapsed": 1, "msg": "Destination /var/folders/r9/w6mgscgj4hqc0fb_y9rrtd_r0000gn/T does not exist", "src": "/root/.ansible/tmp/ansible-tmp-1696234157.231377-43516-233356382116250/tmppr4kjcdl", "url": "https://storage.googleapis.com/kubernetes-release/release/v1.28.1/kubernetes-client-linux-amd64.tar.gz"}
I'm sorry but I think I can't really help with this issue. But I made a mistake in my previous comment. It's NOT
kubectl_checksum_binary: "33cf3f6e37bcee4dff7ce14ab933c605d07353d4e31446dd2b52c3f05e0b150b60e531f6069f112d8a76331322a72b593537531e62104cfc7c70cb03d46f76b3"
BUT
kubectl_checksum_binary: "sha512:33cf3f6e37bcee4dff7ce14ab933c605d07353d4e31446dd2b52c3f05e0b150b60e531f6069f112d8a76331322a72b593537531e62104cfc7c70cb03d46f76b3"
In general I'm only using Ansible's get_url module which provides a checksum parameter. Maybe the documentation gives you a hint: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-checksum The format is <algorithm>:<checksum|url>.
The documentation also states: If you worry about portability, only the sha1 algorithm is available on all platforms and python versions. and The Python "hashlib" module is responsible for providing the available algorithms. The choices vary based on Python version and OpenSSL version. So maybe your hashlib version is too old. Kubernetes doesn't provide SHA1 checksums. But you might be able to use SHA256. E.g. download from https://cdn.dl.k8s.io/release/v1.28.1/bin/linux/amd64/kubectl.sha1
So you can try either
kubectl_checksum_binary: "sha256:https://cdn.dl.k8s.io/release/v{{ kubectl_version }}/bin/{{ kubectl_os }}/{{ kubectl_arch }}/kubectl.sha256"
or without URL but with the checksum itself:
kubectl_checksum_binary: "sha256:e7a7d6f9d06fab38b4128785aa80f65c54f6675a0d2abef655259ddd852274e1