Hide Forgot
Description of problem: when run upgrade task ; TASK [ansible_service_broker : Add required permissions to asb-auth clusterrole] should add permissions to servicebindings and serviceinstance. { "apiGroups": [ "automationbroker.io" ], "resources": [ "bundles", "jobstates", "servicebindings", "serviceinstances" ], "verbs": [ "*" ] } they are replaced by bundlebinding and bundleinstance ,and jobstate is deleted Version-Release number of selected component (if applicable): openshift-ansible-3.10.0-0.47.0 How reproducible: always Steps to Reproduce: 1. installl openshift v3.9 with ansible-service-broker and service-catalog 2. upgrade to 3.10 Actual results: Add right permission to api group. Expected results: Additional info:
update description: TASK [ansible_service_broker : Add required permissions to asb-auth clusterrole] should NOT add permissions to servicebindings and serviceinstance.
PR: https://github.com/openshift/openshift-ansible/pull/8420
Commits pushed to master at https://github.com/openshift/openshift-ansible https://github.com/openshift/openshift-ansible/commit/0981f9f0e10bb7144c57a6aed6fdd2e71d86cbc9 Bug 1579269 - Updating the CRD resource names for migration. https://github.com/openshift/openshift-ansible/commit/9882be2a7f64df464115095ea3efb9b7dac85f80 Merge pull request #8420 from shawn-hurley/bug-1579269 Bug 1579269 - Updating the CRD resource names for migration.
Add the log when job asb-etcd-migration failed: # oc logs -f asb-etcd-migration-v5hnx time="2018-05-21T09:01:35Z" level=info msg="etcd configuration: {asb-etcd.openshift-ansible-service-broker.svc /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt /var/run/asb-etcd-auth/client.crt /var/run/asb-etcd-auth/client.key 2379}" time="2018-05-21T09:01:35Z" level=info msg="== ETCD CX ==" time="2018-05-21T09:01:35Z" level=info msg="EtcdHost: asb-etcd.openshift-ansible-service-broker.svc" time="2018-05-21T09:01:35Z" level=info msg="EtcdPort: 2379" time="2018-05-21T09:01:35Z" level=info msg="Endpoints: [https://asb-etcd.openshift-ansible-service-broker.svc:2379]" 2018/05/21 09:01:35 Dao::BatchGetRaw 2018/05/21 09:01:35 Successfully loaded [ 4 ] objects from etcd dir [ /spec ] 2018/05/21 09:01:35 Batch idx [ 0 ] -> [ 73ead67495322cc462794387fa9884f5 ] 2018/05/21 09:01:35 Batch idx [ 1 ] -> [ d5915e05b253df421efe6e41fb6a66ba ] 2018/05/21 09:01:35 Batch idx [ 2 ] -> [ 03b69500305d9859bb9440d9f9023784 ] 2018/05/21 09:01:35 Batch idx [ 3 ] -> [ 2c259ddd8059b9bc65081e07bf20058f ] 2018/05/21 09:01:35 set spec: 73ead67495322cc462794387fa9884f5 2018/05/21 09:01:35 set spec: d5915e05b253df421efe6e41fb6a66ba 2018/05/21 09:01:35 set spec: 03b69500305d9859bb9440d9f9023784 2018/05/21 09:01:35 set spec: 2c259ddd8059b9bc65081e07bf20058f 2018/05/21 09:01:35 Dao::BatchGetRaw 2018/05/21 09:01:35 Successfully loaded [ 3 ] objects from etcd dir [ /service_instance ] 2018/05/21 09:01:35 set service instance: 55f7fa4e-4557-4a40-ace8-451ee80ff04f 2018/05/21 09:01:35 unable to save service instance - bundleinstances.automationbroker.io is forbidden: User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot create bundleinstances.automationbroker.io in the namespace "openshift-ansible-service-broker": User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot create bundleinstances.automationbroker.io in project "openshift-ansible-service-broker" time="2018-05-21T09:01:35Z" level=info msg="reverted service instances" 2018/05/21 09:01:35 Dao::DeleteSpec-> [ 73ead67495322cc462794387fa9884f5 ] 2018/05/21 09:01:35 Dao::DeleteSpec-> [ d5915e05b253df421efe6e41fb6a66ba ] 2018/05/21 09:01:35 Dao::DeleteSpec-> [ 03b69500305d9859bb9440d9f9023784 ] 2018/05/21 09:01:35 Dao::DeleteSpec-> [ 2c259ddd8059b9bc65081e07bf20058f ] time="2018-05-21T09:01:35Z" level=info msg="reverted saved specs - exiting now - migration failed" panic: Unable to migrate all the service instances set service instance - bundleinstances.automationbroker.io is forbidden: User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot create bundleinstances.automationbroker.io in the namespace "openshift-ansible-service-broker": User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot create bundleinstances.automationbroker.io in project "openshift-ansible-service-broker" goroutine 1 [running]: main.main() /builddir/build/BUILD/ansible-service-broker-1.2.11/cmd/migration/main.go:126 +0x357c
image is ready , change it to ON_QA
verified, ansible version: v3.10.0-0.50.0 the cluster role is right. {"apiGroups": ["networking.k8s.io"], "attributeRestrictions": null, "resources": ["networkpolicies"], "verbs": ["create", "delete"]}, {"apiGroups": ["automationbroker.io"], "attributeRestrictions": null, "resources": ["bundlebindings", "bundleinstances", "bundles"], "verbs": ["*"]}]}, "returncode": 0}, "state": "present"}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816