Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1566887 - Can't create app when push code to initial gitserver repo due to forbidden error
Summary: Can't create app when push code to initial gitserver repo due to forbidden error
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: ImageStreams
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Ben Parees
QA Contact: Dongbo Yan
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-13 07:05 UTC by XiuJuan Wang
Modified: 2018-04-16 01:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-04-16 01:45:18 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description XiuJuan Wang 2018-04-13 07:05:16 UTC
Description of problem:
Can't create app when push code to init gitserver repo due to forbidden error.

The default oc client in git server pod is 
oc version 
oc v3.7.1+de12586-31
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth GSSAPI Kerberos SPNEGO

And Qe need test this feature with 3.5 and 3.4, so the client compatibility issue conduct this bug

Works on above 3.6 env

Version-Release number of selected component (if applicable):
openshift v3.
kubernetes v1.5.2+43a9be4

openshift v3.
kubernetes v1.4.0+776c994

docker.io/openshift/origin-gitserver:latest (c788ff7985e7)

How reproducible:

Steps to Reproduce:
1.Create a git server app
Follow as https://github.com/openshift/origin/tree/master/examples/gitserver#deploy-the-git-server
2.Push code to the initial git server 


Actual results:
step 2:

$ git push origin master
Username for 'http://git-git.apps.0412-5ej.qe.rhcloud.com': xiuwang
Password for 'http://xiuwang@git-git.apps.0412-5ej.qe.rhcloud.com': 
Counting objects: 290, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (187/187), done.
Writing objects: 100% (290/290), 46.64 KiB | 0 bytes/s, done.
Total 290 (delta 93), reused 281 (delta 89)
remote: Error from server (Forbidden): User "system:serviceaccount:git:git" cannot list build.openshift.io.buildconfigs in project "git"
remote: error: can't lookup images: User "system:serviceaccount:git:git" cannot create image.openshift.io.imagestreamimports in project "git"
remote: error: no match for "centos/ruby-22-centos7"
remote: The 'oc new-app' command will match arguments to the following types:
remote:   1. Images tagged into image streams in the current project or the 'openshift' project
remote:      - if you don't specify a tag, we'll add ':latest'
remote:   2. Images in the Docker Hub, on remote registries, or on the local Docker engine
remote:   3. Templates in the current project or the 'openshift' project
remote:   4. Git repository URLs or local paths that point to Git repositories
remote: --allow-missing-images can be used to point to an image that does not exist yet.
remote: See 'oc new-app -h' for examples.
To http://git-git.apps.0412-5ej.qe.rhcloud.com/ruby-hello-world
 * [new branch]      master -> master

Expected results:
Should create app successfully when init git server

Additional info:

$ oc get rolebinding  
NAME                    ROLE                    USERS     GROUPS                       SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  xiuwang                                                   
edit                    /edit                                                          git                
system:deployers        /system:deployer                                               deployer           
system:image-builders   /system:image-builder                                          builder            
system:image-pullers    /system:image-puller              system:serviceaccounts:git                      
[wxj@dhcp-140-124 ruby-hello-world]$ oc get sa  git -o yaml 
apiVersion: v1
- name: git-dockercfg-kvp8b
kind: ServiceAccount
  creationTimestamp: 2018-04-13T06:11:38Z
    app: git
  name: git
  namespace: git
  resourceVersion: "19210"
  selfLink: /api/v1/namespaces/git/serviceaccounts/git
  uid: 86b08309-3ee1-11e8-8560-42010af00002
- name: git-dockercfg-kvp8b
- name: git-token-r7z9r

Comment 1 Ben Parees 2018-04-16 01:45:18 UTC
the gitserver is unsupported so we're not going to worry about cross-version compatibility issues in it.

Note You need to log in before you can comment on or make changes to this bug.