Bug 1579269
| Summary: | [upgrade]asb should not add permission to automationbroker.io.servicebindings and serviceinstance | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Zihan Tang <zitang> |
| Component: | Service Broker | Assignee: | Shawn Hurley <shurley> |
| Status: | CLOSED ERRATA | QA Contact: | Zihan Tang <zitang> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 3.10.0 | CC: | aos-bugs, chezhang, jiazha, jmatthew, wmeng, zhsun |
| Target Milestone: | --- | ||
| Target Release: | 3.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: |
undefined
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-07-30 19:15:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
update description: TASK [ansible_service_broker : Add required permissions to asb-auth clusterrole] should NOT add permissions to servicebindings and serviceinstance. Commits pushed to master at https://github.com/openshift/openshift-ansible https://github.com/openshift/openshift-ansible/commit/0981f9f0e10bb7144c57a6aed6fdd2e71d86cbc9 Bug 1579269 - Updating the CRD resource names for migration. https://github.com/openshift/openshift-ansible/commit/9882be2a7f64df464115095ea3efb9b7dac85f80 Merge pull request #8420 from shawn-hurley/bug-1579269 Bug 1579269 - Updating the CRD resource names for migration. Add the log when job asb-etcd-migration failed:
# oc logs -f asb-etcd-migration-v5hnx
time="2018-05-21T09:01:35Z" level=info msg="etcd configuration: {asb-etcd.openshift-ansible-service-broker.svc /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt /var/run/asb-etcd-auth/client.crt /var/run/asb-etcd-auth/client.key 2379}"
time="2018-05-21T09:01:35Z" level=info msg="== ETCD CX =="
time="2018-05-21T09:01:35Z" level=info msg="EtcdHost: asb-etcd.openshift-ansible-service-broker.svc"
time="2018-05-21T09:01:35Z" level=info msg="EtcdPort: 2379"
time="2018-05-21T09:01:35Z" level=info msg="Endpoints: [https://asb-etcd.openshift-ansible-service-broker.svc:2379]"
2018/05/21 09:01:35 Dao::BatchGetRaw
2018/05/21 09:01:35 Successfully loaded [ 4 ] objects from etcd dir [ /spec ]
2018/05/21 09:01:35 Batch idx [ 0 ] -> [ 73ead67495322cc462794387fa9884f5 ]
2018/05/21 09:01:35 Batch idx [ 1 ] -> [ d5915e05b253df421efe6e41fb6a66ba ]
2018/05/21 09:01:35 Batch idx [ 2 ] -> [ 03b69500305d9859bb9440d9f9023784 ]
2018/05/21 09:01:35 Batch idx [ 3 ] -> [ 2c259ddd8059b9bc65081e07bf20058f ]
2018/05/21 09:01:35 set spec: 73ead67495322cc462794387fa9884f5
2018/05/21 09:01:35 set spec: d5915e05b253df421efe6e41fb6a66ba
2018/05/21 09:01:35 set spec: 03b69500305d9859bb9440d9f9023784
2018/05/21 09:01:35 set spec: 2c259ddd8059b9bc65081e07bf20058f
2018/05/21 09:01:35 Dao::BatchGetRaw
2018/05/21 09:01:35 Successfully loaded [ 3 ] objects from etcd dir [ /service_instance ]
2018/05/21 09:01:35 set service instance: 55f7fa4e-4557-4a40-ace8-451ee80ff04f
2018/05/21 09:01:35 unable to save service instance - bundleinstances.automationbroker.io is forbidden: User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot create bundleinstances.automationbroker.io in the namespace "openshift-ansible-service-broker": User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot create bundleinstances.automationbroker.io in project "openshift-ansible-service-broker"
time="2018-05-21T09:01:35Z" level=info msg="reverted service instances"
2018/05/21 09:01:35 Dao::DeleteSpec-> [ 73ead67495322cc462794387fa9884f5 ]
2018/05/21 09:01:35 Dao::DeleteSpec-> [ d5915e05b253df421efe6e41fb6a66ba ]
2018/05/21 09:01:35 Dao::DeleteSpec-> [ 03b69500305d9859bb9440d9f9023784 ]
2018/05/21 09:01:35 Dao::DeleteSpec-> [ 2c259ddd8059b9bc65081e07bf20058f ]
time="2018-05-21T09:01:35Z" level=info msg="reverted saved specs - exiting now - migration failed"
panic: Unable to migrate all the service instances set service instance - bundleinstances.automationbroker.io is forbidden: User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot create bundleinstances.automationbroker.io in the namespace "openshift-ansible-service-broker": User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot create bundleinstances.automationbroker.io in project "openshift-ansible-service-broker"
goroutine 1 [running]:
main.main()
/builddir/build/BUILD/ansible-service-broker-1.2.11/cmd/migration/main.go:126 +0x357c
image is ready , change it to ON_QA verified,
ansible version: v3.10.0-0.50.0
the cluster role is right.
{"apiGroups": ["networking.k8s.io"], "attributeRestrictions": null, "resources": ["networkpolicies"], "verbs": ["create", "delete"]}, {"apiGroups": ["automationbroker.io"], "attributeRestrictions": null, "resources": ["bundlebindings", "bundleinstances", "bundles"], "verbs": ["*"]}]}, "returncode": 0}, "state": "present"}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816 |
Description of problem: when run upgrade task ; TASK [ansible_service_broker : Add required permissions to asb-auth clusterrole] should add permissions to servicebindings and serviceinstance. { "apiGroups": [ "automationbroker.io" ], "resources": [ "bundles", "jobstates", "servicebindings", "serviceinstances" ], "verbs": [ "*" ] } they are replaced by bundlebinding and bundleinstance ,and jobstate is deleted Version-Release number of selected component (if applicable): openshift-ansible-3.10.0-0.47.0 How reproducible: always Steps to Reproduce: 1. installl openshift v3.9 with ansible-service-broker and service-catalog 2. upgrade to 3.10 Actual results: Add right permission to api group. Expected results: Additional info: