Bug 1387387

Summary: saml-auth pod can not be deployed automatically
Product: OpenShift Container Platform Reporter: Johnny Liu <jialiu>
Component: InstallerAssignee: Brenton Leanhardt <bleanhar>
Status: CLOSED NEXTRELEASE QA Contact: Johnny Liu <jialiu>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.4.0CC: aos-bugs, jialiu, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-14 13:09:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Johnny Liu 2016-10-20 18:32:40 UTC 
Description of problem:
create saml-auth pod using oc new-app command:
# oc new-app --template=saml-auth -p APPLICATION_DOMAIN=saml-auth-test.example.com,OSE_API_PUBLIC_URL=https://ose.example.com:8443/oauth/authorize,LOG_LEVEL=trace5,APPLICATION_IMAGE=registry.ops.openshift.com/openshift3/saml-service-provider

After that, dc deployment is not triggered.

For 3.2/3.3, we could use "oc deploy dc/saml-auth --latest" to manually trigger it as workaround, while for 3.4, this workaround does not work any more.

-bash-4.2# oc deploy dc/saml-auth --latest
Flag --latest has been deprecated, use 'oc rollout latest' instead
error: cannot trigger a deployment for "saml-auth" because it contains unresolved images - try 'oc rollout latest dc/saml-auth'

-bash-4.2# oc deploy dc/saml-auth
saml-auth deployment #1 waiting on image or update

Now we have another workaround:
# oc edit dc/saml-auth
remove the "ImageChange" trigger type, save it, after that, saml-auth is deployed automatically.

So suggest to update saml-auth template file, https://github.com/openshift/request-header-saml-service-provider/blob/master/saml-auth.template, remove the following lines:
                    {
                        "imageChangeParams": {
                            "automatic": true,
                            "containerNames": [
                                "saml-auth"
                            ],
                            "from": {
                                "kind": "ImageStreamTag",
                                "name": "saml-service-provider:latest",
                                "namespace": "openshift3"
                            }
                        },
                        "type": "ImageChange"
                    },

Version-Release number of selected component (if applicable):
atomic-openshift-3.4.0.13-1.git.0.406f649.el7.x86_64.rpm

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Johnny Liu 2016-10-26 03:30:27 UTC 
Found some better workaround:
1. oc new-project openshift3 --skip-config-write=true && oadm policy add-cluster-role-to-group system:image-puller system:authenticated -n openshift3
2. docker pull openshift3/saml-service-provider && docker tag openshift3/saml-service-provider {{ registerIp.stdout }}:5000/openshift3/saml-service-provider && docker login -u unused -e unused -p $(oc sa get-token builder -n openshift3) {{ registerIp.stdout }}:5000 && docker push {{ registerIp.stdout }}:5000/openshift3/saml-service-provider
3. oc scale --replicas=1 dc saml-auth
Comment 2 Brenton Leanhardt 2016-10-26 12:16:54 UTC 
Hi Jianlin,

With your last comment, would it only involve updating our documentation?
Comment 3 Johnny Liu 2016-10-27 02:47:17 UTC 
@Brenton, yes, only involve updating our documentation. Actually the steps in the comment 1 are already mentioned in https://github.com/openshift/request-header-saml-service-provider/blob/master/README.md, the only point need to be highlighted in that doc is "Pushing the image to the internal docker registry" is necessary, if user do not that, saml-auth pod in 3.4 would not be deployed successfully.
Comment 4 Brenton Leanhardt 2016-11-09 18:56:15 UTC 
Jianlin, I've incorporated your suggestions in this PR: https://github.com/openshift/request-header-saml-service-provider/pull/6

For convenience, you can follow the steps by accessing my fork:
https://github.com/brenton/request-header-saml-service-provider/tree/BZ1387387

I noticed a number of other typos and minor fixes needed for OCP 3.4 that you may want to review in that PR.  The main change was that I moved the sections for "ImageStream preparation", "Manually building the docker image" and "Pushing the image to the internal docker registry" to a new section called "Making local modifications".

Those steps are not technically required since they would need to be modified for certain environments.  I moved the new section to the end.  It is wonderful that you discovered these steps needed to be modified for OCP 3.4.

Let me know if the changes look good to you and I can merge this PR.
Comment 5 Johnny Liu 2016-11-10 09:11:40 UTC 
After review, most are find to me. Only one question, as far as I know, 3.3 does not support "oc rollout latest", it is newly introduce in 3.4, if user is deploying a 3.3 env, it will be confused.
Comment 6 Brenton Leanhardt 2016-11-11 14:06:48 UTC 
That is correct.  Since this tool is not generally available and only used for OpenShift Dedicated my take was that we only need to support the latest version of OpenShift.  It's easy enough for Ops or anyone to see the git history and revert.  I just pushed a tag called ocp_3_3_origin_1_3 to github.com:openshift/request-header-saml-service-provider.git to clarify how you could use an older version.

If this looks good to you let me know and I'll merge the original PR.
Comment 7 Johnny Liu 2016-11-14 02:24:54 UTC 
I am okay with it now, pls merge the PR.
Comment 8 Brenton Leanhardt 2016-11-14 13:09:13 UTC 
I merged the PR.  I'm closing this bug since it doesn't need to be attached to any advisory.