Bug 1655026
Summary: | Install the AMQ failed via the OLM | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Jian Zhang <jiazha> |
Component: | OLM | Assignee: | Evan Cordell <ecordell> |
Status: | CLOSED ERRATA | QA Contact: | Jian Zhang <jiazha> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.1.0 | CC: | chezhang, cmarches, dyan, jfan, zitang |
Target Milestone: | --- | ||
Target Release: | 4.1.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-04 10:41:04 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jian Zhang
2018-11-30 11:14:09 UTC
It looks like the AMQ CSV does not list out all of the permissions that it needs. The error is for `kafkamirrormakers.kafka.strimzi.io` which I don't see listed as a required permission at all: https://github.com/operator-framework/operator-lifecycle-manager/blob/master/deploy/chart/catalog_resources/rh-operators/amq-streams.v1.0.0.clusterserviceversion.yaml#L88 This will require a fix in the CSV Evan, Could you help post the fixed PR in here? Change status to "ASSIGNED" first. This is not an OLM bug, this is an issue with Strimzi. Please file with that team. We can assist them with their CSV if they have questions. aggregate-olm-edit is not related to Strimzi permissions, it is just the role that grants edit permission to OLM types. It works well now. Verify it. Details as below: Install it on Web console: "Catalog"->"Operator Hub"->"AMQ Streams". Select the "default" namespace. [jzhang@dhcp-140-18 ~]$ oc get pods -n default NAME READY STATUS RESTARTS AGE strimzi-cluster-operator-54868b4588-qp4p5 1/1 Running 0 8m18s [jzhang@dhcp-140-18 ~]$ oc get sub -n default NAME PACKAGE SOURCE CHANNEL amq-streams amq-streams installed-redhat-default final [jzhang@dhcp-140-18 ~]$ oc get csv -n default NAME DISPLAY VERSION REPLACES PHASE amqstreams.v1.0.0 AMQ Streams 1.0.0 Succeeded [jzhang@dhcp-140-18 ~]$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.0.0-0.nightly-2019-02-26-125216 True False 105m Cluster version is 4.0.0-0.nightly-2019-02-26-125216 OLM image info: io.openshift.build.commit.id=1ac9ace63034ea90f31e5ad33435d3f5476c7d85 io.openshift.build.commit.url=https://github.com/operator-framework/operator-lifecycle-manager/commit/1ac9ace63034ea90f31e5ad33435d3f5476c7d85 io.openshift.build.source-location=https://github.com/operator-framework/operator-lifecycle-manager A customer has noted the same issue with OCP 3.11: 2019-05-08 07:08:39 WARN WatchConnectionManager:185 - Exec Failure: HTTP 403, Status: 403 - kafkamirrormakers.kafka.strimzi.io is forbidden: User "system:serviceaccount:amq-streams:strimzi-cluster-operator" cannot watch kafkamirrormakers.kafka.strimzi.io in the namespace "amq-streams": no RBAC policy matched They were able to fix it with the following steps: 1) Manually install cluster operator as mentioned in documentation https://access.redhat.com/documentation/en-us/red_hat_amq/7.2/html/using_amq_streams_on_openshift_container_platform/assembly-operators-str 2) Use Operator Framework to install AMQ stream via subscription Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758 |