Bug 1387387 - saml-auth pod can not be deployed automatically
Summary: saml-auth pod can not be deployed automatically
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Brenton Leanhardt
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-20 18:32 UTC by Johnny Liu
Modified: 2016-11-14 13:09 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-14 13:09:13 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Johnny Liu 2016-10-20 18:32:40 UTC 
Description of problem:
create saml-auth pod using oc new-app command:
# oc new-app --template=saml-auth -p APPLICATION_DOMAIN=saml-auth-test.example.com,OSE_API_PUBLIC_URL=https://ose.example.com:8443/oauth/authorize,LOG_LEVEL=trace5,APPLICATION_IMAGE=registry.ops.openshift.com/openshift3/saml-service-provider

After that, dc deployment is not triggered.

For 3.2/3.3, we could use "oc deploy dc/saml-auth --latest" to manually trigger it as workaround, while for 3.4, this workaround does not work any more.

-bash-4.2# oc deploy dc/saml-auth --latest
Flag --latest has been deprecated, use 'oc rollout latest' instead
error: cannot trigger a deployment for "saml-auth" because it contains unresolved images - try 'oc rollout latest dc/saml-auth'

-bash-4.2# oc deploy dc/saml-auth
saml-auth deployment #1 waiting on image or update

Now we have another workaround:
# oc edit dc/saml-auth
remove the "ImageChange" trigger type, save it, after that, saml-auth is deployed automatically.

So suggest to update saml-auth template file, https://github.com/openshift/request-header-saml-service-provider/blob/master/saml-auth.template, remove the following lines:
                    {
                        "imageChangeParams": {
                            "automatic": true,
                            "containerNames": [
                                "saml-auth"
                            ],
                            "from": {
                                "kind": "ImageStreamTag",
                                "name": "saml-service-provider:latest",
                                "namespace": "openshift3"
                            }
                        },
                        "type": "ImageChange"
                    },

Version-Release number of selected component (if applicable):
atomic-openshift-3.4.0.13-1.git.0.406f649.el7.x86_64.rpm

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Johnny Liu 2016-10-26 03:30:27 UTC 
Found some better workaround:
1. oc new-project openshift3 --skip-config-write=true && oadm policy add-cluster-role-to-group system:image-puller system:authenticated -n openshift3
2. docker pull openshift3/saml-service-provider && docker tag openshift3/saml-service-provider {{ registerIp.stdout }}:5000/openshift3/saml-service-provider && docker login -u unused -e unused -p $(oc sa get-token builder -n openshift3) {{ registerIp.stdout }}:5000 && docker push {{ registerIp.stdout }}:5000/openshift3/saml-service-provider
3. oc scale --replicas=1 dc saml-auth
Comment 2 Brenton Leanhardt 2016-10-26 12:16:54 UTC 
Hi Jianlin,

With your last comment, would it only involve updating our documentation?
Comment 3 Johnny Liu 2016-10-27 02:47:17 UTC 
@Brenton, yes, only involve updating our documentation. Actually the steps in the comment 1 are already mentioned in https://github.com/openshift/request-header-saml-service-provider/blob/master/README.md, the only point need to be highlighted in that doc is "Pushing the image to the internal docker registry" is necessary, if user do not that, saml-auth pod in 3.4 would not be deployed successfully.
Comment 4 Brenton Leanhardt 2016-11-09 18:56:15 UTC 
Jianlin, I've incorporated your suggestions in this PR: https://github.com/openshift/request-header-saml-service-provider/pull/6

For convenience, you can follow the steps by accessing my fork:
https://github.com/brenton/request-header-saml-service-provider/tree/BZ1387387

I noticed a number of other typos and minor fixes needed for OCP 3.4 that you may want to review in that PR.  The main change was that I moved the sections for "ImageStream preparation", "Manually building the docker image" and "Pushing the image to the internal docker registry" to a new section called "Making local modifications".

Those steps are not technically required since they would need to be modified for certain environments.  I moved the new section to the end.  It is wonderful that you discovered these steps needed to be modified for OCP 3.4.

Let me know if the changes look good to you and I can merge this PR.
Comment 5 Johnny Liu 2016-11-10 09:11:40 UTC 
After review, most are find to me. Only one question, as far as I know, 3.3 does not support "oc rollout latest", it is newly introduce in 3.4, if user is deploying a 3.3 env, it will be confused.
Comment 6 Brenton Leanhardt 2016-11-11 14:06:48 UTC 
That is correct.  Since this tool is not generally available and only used for OpenShift Dedicated my take was that we only need to support the latest version of OpenShift.  It's easy enough for Ops or anyone to see the git history and revert.  I just pushed a tag called ocp_3_3_origin_1_3 to github.com:openshift/request-header-saml-service-provider.git to clarify how you could use an older version.

If this looks good to you let me know and I'll merge the original PR.
Comment 7 Johnny Liu 2016-11-14 02:24:54 UTC 
I am okay with it now, pls merge the PR.
Comment 8 Brenton Leanhardt 2016-11-14 13:09:13 UTC 
I merged the PR.  I'm closing this bug since it doesn't need to be attached to any advisory.
Note You need to log in before you can comment on or make changes to this bug.