Bug 1321855
| Summary: | Get error when creating logging-elasticsearch secret in logging deployer pod with latest image | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Xia Zhao <xiazhao> | ||||
| Component: | Logging | Assignee: | ewolinet | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | chunchen <chunchen> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 3.2.0 | CC: | aos-bugs, ewolinet, lmeyer, wsun, xiazhao | ||||
| Target Milestone: | --- | Keywords: | Regression, TestBlocker | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-04-06 13:22:33 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Xia Zhao
2016-03-29 09:25:55 UTC
Hi Eric, Yes, I have the secret 'logging-deployer' in the logging project: # oc get secret -n logging | grep logging-deployer logging-deployer Opaque 1 41m logging-deployer-dockercfg-yzef7 kubernetes.io/dockercfg 1 40m logging-deployer-token-26ccs kubernetes.io/service-account-token 3 40m logging-deployer-token-eqi1t kubernetes.io/service-account-token 3 40m I apologize for pasting inconsistent pod names in bug report, it's my mistake. I did all operations against logging project, and I was not working with the default project. The description in "Actual Result" part should be: $ oc get po -n logging NAME READY STATUS RESTARTS AGE logging-deployer-go1if 0/1 Error 0 31m $ oc logs -f logging-deployer-go1if -n logging <--snip--> Creating secrets + : + echo 'Creating secrets' + oc secrets new logging-elasticsearch key=/etc/deploy/keystore.jks truststore=/etc/deploy/truststore.jks searchguard.key=/etc/deploy/searchguard_node_key.key admin-key=/etc/deploy/system.admin.key admin-cert=/etc/deploy/system.admin.crt admin-ca=/etc/deploy/ca.crt Error from server: User "system:serviceaccount:xiazhao:logging-deployer" cannot create secrets in project "default" After doing "oadm policy add-role-to-user cluster-admin system:serviceaccount:logging:logging-deployer" on master machine, the logging deployer can complete successfully. So this seemed like the same doc issue as https://bugzilla.redhat.com/show_bug.cgi?id=1321533, please feel free to set the status to ON_QA, and I will close it then. Set to verified according to comment #2. Thank you for your time spent here, Eric. No, we shouldn't be giving cluster-admin to the deployer. The deployer should only need "edit" on the project. I think the problem here was that you were getting the "latest" image which happened to be the pre-release 3.1.1 with the problem in https://bugzilla.redhat.com/show_bug.cgi?id=1322245 In testing you'll probably want to be specific about the version of the deployer. I just built a new version of the deployer, 3.2.0-4 - can you verify that specifically is working? Changed back to give edit role to serivce account: oc policy add-role-to-user edit system:serviceaccount:logging:logging-deployer And tested with deployer image 3.2.0-4, it's fixed. Thanks Luke. Closing this bug as it was fixed before release. |