Hide Forgot
Description of problem: create saml-auth pod using oc new-app command: # oc new-app --template=saml-auth -p APPLICATION_DOMAIN=saml-auth-test.example.com,OSE_API_PUBLIC_URL=https://ose.example.com:8443/oauth/authorize,LOG_LEVEL=trace5,APPLICATION_IMAGE=registry.ops.openshift.com/openshift3/saml-service-provider After that, dc deployment is not triggered. For 3.2/3.3, we could use "oc deploy dc/saml-auth --latest" to manually trigger it as workaround, while for 3.4, this workaround does not work any more. -bash-4.2# oc deploy dc/saml-auth --latest Flag --latest has been deprecated, use 'oc rollout latest' instead error: cannot trigger a deployment for "saml-auth" because it contains unresolved images - try 'oc rollout latest dc/saml-auth' -bash-4.2# oc deploy dc/saml-auth saml-auth deployment #1 waiting on image or update Now we have another workaround: # oc edit dc/saml-auth remove the "ImageChange" trigger type, save it, after that, saml-auth is deployed automatically. So suggest to update saml-auth template file, https://github.com/openshift/request-header-saml-service-provider/blob/master/saml-auth.template, remove the following lines: { "imageChangeParams": { "automatic": true, "containerNames": [ "saml-auth" ], "from": { "kind": "ImageStreamTag", "name": "saml-service-provider:latest", "namespace": "openshift3" } }, "type": "ImageChange" }, Version-Release number of selected component (if applicable): atomic-openshift-3.4.0.13-1.git.0.406f649.el7.x86_64.rpm How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Found some better workaround: 1. oc new-project openshift3 --skip-config-write=true && oadm policy add-cluster-role-to-group system:image-puller system:authenticated -n openshift3 2. docker pull openshift3/saml-service-provider && docker tag openshift3/saml-service-provider {{ registerIp.stdout }}:5000/openshift3/saml-service-provider && docker login -u unused -e unused -p $(oc sa get-token builder -n openshift3) {{ registerIp.stdout }}:5000 && docker push {{ registerIp.stdout }}:5000/openshift3/saml-service-provider 3. oc scale --replicas=1 dc saml-auth
Hi Jianlin, With your last comment, would it only involve updating our documentation?
@Brenton, yes, only involve updating our documentation. Actually the steps in the comment 1 are already mentioned in https://github.com/openshift/request-header-saml-service-provider/blob/master/README.md, the only point need to be highlighted in that doc is "Pushing the image to the internal docker registry" is necessary, if user do not that, saml-auth pod in 3.4 would not be deployed successfully.
Jianlin, I've incorporated your suggestions in this PR: https://github.com/openshift/request-header-saml-service-provider/pull/6 For convenience, you can follow the steps by accessing my fork: https://github.com/brenton/request-header-saml-service-provider/tree/BZ1387387 I noticed a number of other typos and minor fixes needed for OCP 3.4 that you may want to review in that PR. The main change was that I moved the sections for "ImageStream preparation", "Manually building the docker image" and "Pushing the image to the internal docker registry" to a new section called "Making local modifications". Those steps are not technically required since they would need to be modified for certain environments. I moved the new section to the end. It is wonderful that you discovered these steps needed to be modified for OCP 3.4. Let me know if the changes look good to you and I can merge this PR.
After review, most are find to me. Only one question, as far as I know, 3.3 does not support "oc rollout latest", it is newly introduce in 3.4, if user is deploying a 3.3 env, it will be confused.
That is correct. Since this tool is not generally available and only used for OpenShift Dedicated my take was that we only need to support the latest version of OpenShift. It's easy enough for Ops or anyone to see the git history and revert. I just pushed a tag called ocp_3_3_origin_1_3 to github.com:openshift/request-header-saml-service-provider.git to clarify how you could use an older version. If this looks good to you let me know and I'll merge the original PR.
I am okay with it now, pls merge the PR.
I merged the PR. I'm closing this bug since it doesn't need to be attached to any advisory.