Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1993260

Summary: SRO RBAC error when deploying ping-pong CR
Product: OpenShift Container Platform Reporter: dagray
Component: Special Resource OperatorAssignee: dagray
Status: CLOSED ERRATA QA Contact: liqcui
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.9CC: aos-bugs, wabouham
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:46:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dagray 2021-08-12 16:13:15 UTC 
When deploying the ping-pong example SpecialResource CR, SRO fails to create the dependency cert-manager because of missing RBAC permissions.

The operator error can be seen on SRO logs from the failed 4.9 nightly e2e CI test here:
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-psap-ci-artifacts-release-4.9-sro-e2e-master/1425592979170529280/artifacts/e2e-master/nightly/artifacts/008__sro__capture_deployment_state/sro_operator.log

The problem that allowed for this, is that the dependency chart version of cert-manager (v1.3) is not actually being used, so cert-manager is pulling the latest version, which has these changed RBAC requirements.

We also want to update the RBAC to allow SRO to deploy the cert-manager v1.5 chart as well.
Comment 3 liqcui 2021-08-31 14:37:57 UTC 
Verified Result:
[mirroradmin@ec2-18-217-45-133 sro]$ oc get specialresources
NAME           AGE
cert-manager   5m17s
multi-build    21m
ping-pong      5m20s
[mirroradmin@ec2-18-217-45-133 sro]$ oc get all -n cert-manager
NAME                                           READY   STATUS    RESTARTS   AGE
pod/cert-manager-5b578dc44c-x9gk8              1/1     Running   0          5m15s
pod/cert-manager-cainjector-548bf687d8-46hg2   1/1     Running   0          5m15s
pod/cert-manager-webhook-6d5cb74789-s6d5h      1/1     Running   0          5m15s

NAME                           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/cert-manager           ClusterIP   172.30.221.84   <none>        9402/TCP   5m15s
service/cert-manager-webhook   ClusterIP   172.30.128.1    <none>        443/TCP    5m15s

NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/cert-manager              1/1     1            1           5m15s
deployment.apps/cert-manager-cainjector   1/1     1            1           5m15s
deployment.apps/cert-manager-webhook      1/1     1            1           5m15s

NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/cert-manager-5b578dc44c              1         1         1       5m15s
replicaset.apps/cert-manager-cainjector-548bf687d8   1         1         1       5m15s
replicaset.apps/cert-manager-webhook-6d5cb74789      1         1         1       5m15s
Comment 6 errata-xmlrpc 2021-10-18 17:46:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759