Cause: The templateinstance controller switch to the dynamic client in 3.9 did not properly deal with cluster level objects in its create path, as it always tried to set a namespace/project on its create request. This was especially problematic when trying to create projects themselves.
Consequence: The templateinstance controller started failing to create any projects specified in templates.
Fix: The templatesinstance controller now determines if each object it is creating is cluster level in scope, and if its, it does not set the namespace on its dynamic client create request.
Result: The templateinstance controller can now create projects, assuming it has that capability has been added to its permission set, defined in templates.
XiuJuan - can you provide the precise steps you took in trying to verify the bug?
Would it be possible for me to get access to the cluster you are attempting to verify against?
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2019:1753
Description of problem: TemplateInstance object in OCP 3.11 is not taking values defined in secret passed in spec.secret.name and therefore the objects defined in the template are not getting instantiated Version-Release number of selected component (if applicable): OCP 3.11 How reproducible: Always Steps to Reproduce: 1. oc new-project mycloudpoc 2. Create service account: $ oc create sa mycloudadmin $ oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:openshift-infra:template-instance-controller $ oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:openshift-infra:resourcequota-controller $ oc create clusterrolebinding mycloudamdin --clusterrole cluster-admin --serviceaccount=mycloudpoc:mycloudadmin 3. Create template file: $ oc create -f template.json 4. Create a secret "secrettest": curl -k \ -X POST \ -d @- \ -H "Authorization: Bearer $TOKEN" \ -H 'Accept: application/json' \ -H 'Content-Type: application/json' \ https://openshift.xxx.redhat.com:443/api/v1/namespaces/mycloudpoc/secrets <<EOF { "kind": "Secret", "apiVersion": "v1", "metadata": { "name": "secrettest" }, "stringData": { [...] "MEM": "4Gi", "PROJECT_ADMIN_USER": "foo-admin", "PROJECT_NAME": "openshift-proj011", "REQUESTER": "foo", "RITM": "xyz", [...] } } EOF 5. Instantiate previous created template directly through an API call like this: curl -k \ -X POST \ -d @- \ -H "Authorization: Bearer $TOKEN" \ -H 'Accept: application/json' \ -H 'Content-Type: application/json' \ https://openshift.xxx.redhat.com:443/apis/template.openshift.io/v1/namespaces/mycloudpoc/templateinstances <<EOF { "kind": "TemplateInstance", "apiVersion": "template.openshift.io/v1", "metadata": { "name": "secrettest" }, "spec": { "secret": { "name": "secrettest" }, "template": $(curl -k \ -H "Authorization: Bearer $TOKEN" \ -H 'Accept: application/json' \ https://openshift.xxx.redhat.com:443/apis/template.openshift.io/v1/namespaces/mycloudpoc/templates/odenprojcreation) } } EOF Actual results: Objects defined into the template are not created. Expected results: Objects should be created. Additional info: Same procedure with OCP 3.7 works without issue.