Hide Forgot
Description of problem: When using operators from operator hub(marketplace) to install asb, it failed at create CR with errors: An unhandled exception occurred while running the lookup plugin 'k8s'. Error was a <class 'kubernetes.client.rest.ApiException'>, original message: (401) Reason: Unauthorized HTTP response headers: HTTPHeaderDict({'Date': 'Wed, 13 Feb 2019 03:45:12 GMT', 'Content-Length': '129', 'Content-Type': 'application/json', 'Cache-Control': 'no-store'}) HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401} How reproducible: always Steps to Reproduce: 1. install service catalog from operator hub to 'openshift-operators' project operator hub->show community operaotrs->chooose 'service catalog'-> install->choose 'global operaots' og in Target -> click 'subscribe' [core@ip-10-0-8-250 ~]$ oc get pod -n openshift-operators NAME READY STATUS RESTARTS AGE svcat-apiserver-554585dc45-tcwvf 2/2 Running 0 53m svcat-controller-manager-b85874ff6-sc2ns 1/1 Running 7 162m 2. create asb namespace and operator group: $ oc create namespace openshift-ansible-service-broker $ oc create -f asb-operatorgroup.yaml [core@ip-10-0-8-250 asb]$ cat asb-operatorgroup.yaml apiVersion: operators.coreos.com/v1alpha2 kind: OperatorGroup metadata: name: ansible-service-broker namespace: openshift-ansible-service-broker spec: targetNamespaces: - openshift-ansible-service-broker 3. install asb operator to openshift-ansible-service-broker project operator hub ->show community operaotrs->choose 'Automaiton Broker Operator' -> install -> choose 'ansible-service-broker' og as Target -> click subscribe. 4. create automationbroker CR In openshift-ansible-service-broker project->Installed Operator->choose 'Automation Broker Operator'->click 'new' in Automation Broker ->Using default CR showed in console to create. CR: apiVersion: osb.openshift.io/v1alpha1 kind: AutomationBroker metadata: name: ansible-service-broker namespace: openshift-ansible-service-broker spec: createBrokerNamespace: 'false' waitForBroker: 'false' Actual results: automation broker failed to created. [core@ip-10-0-8-250 asb]$ oc get pod NAME READY STATUS RESTARTS AGE automation-broker-operator-7998bfc9c7-dgp26 1/1 Running 0 90s installed-community-ansible-service-broker-9qppd 1/1 Running 0 8m28s [core@ip-10-0-8-250 asb]$ oc get automationbroker -o yaml apiVersion: v1 items: - apiVersion: osb.openshift.io/v1alpha1 kind: AutomationBroker metadata: creationTimestamp: 2019-02-13T03:45:10Z finalizers: - finalizer.osb.openshift.io generation: 1 name: ansible-service-broker namespace: openshift-ansible-service-broker resourceVersion: "667857" selfLink: /apis/osb.openshift.io/v1alpha1/namespaces/openshift-ansible-service-broker/automationbrokers/ansible-service-broker uid: c2e5b9d6-2f41-11e9-8c20-0abcc3a1d520 spec: createBrokerNamespace: "false" waitForBroker: "false" status: conditions: - lastTransitionTime: 2019-02-13T03:45:10Z message: Running reconciliation reason: Running status: "False" type: Running - ansibleResult: changed: 0 completion: 2019-02-13T03:45:12.24313 failures: 1 ok: 0 skipped: 0 lastTransitionTime: 2019-02-13T03:45:12Z message: |+ An unhandled exception occurred while running the lookup plugin 'k8s'. Error was a <class 'kubernetes.client.rest.ApiException'>, original message: (401) Reason: Unauthorized HTTP response headers: HTTPHeaderDict({'Date': 'Wed, 13 Feb 2019 03:45:12 GMT', 'Content-Length': '129', 'Content-Type': 'application/json', 'Cache-Control': 'no-store'}) HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401} reason: Failed status: "True" type: Failure kind: List metadata: resourceVersion: "" selfLink: "" Expected results: automationbroker cr create successfully Additional info:
Please note that to install the automation-broker you will need to take a single necessary action of creating the a cluster role binding. an example is: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: "automation-broker-operator" roleRef: name: admin kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: automation-broker-operator namespace: openshift-ansible-service-broker This should then complete the outcome. We have a PR to add a better error message here: https://github.com/openshift/ansible-service-broker/pull/1182 I do not believe this should be a test blocker anymore or a beta 2 blocker but will use this BZ for the PR mentioned above.
Tried again in 4.0.0-0.nightly-2019-02-13-204401 It's not always reproduced, remove TestBlocker
(In reply to Shawn Hurley from comment #1) > Please note that to install the automation-broker you will need to take a > single necessary action of creating the a cluster role binding. >..... > We have a PR to add a better error message here: > https://github.com/openshift/ansible-service-broker/pull/1182 > > I do not believe this should be a test blocker anymore or a beta 2 blocker > but will use this BZ for the PR mentioned above. We now can install asb from marketplace. But still need to create clusterrolebinding before provision. Whether this is workaround or desigined?If this designed, we need to add this step in doc.
As per my conversation with @shurley, `creating clusterrolebinding before provision` is documented. Hence, I am closing the issue.
I would like to test the new error message. Alay is correct that cluster role binding is being documented already.
Verified, Cluster version is 4.0.0-0.nightly-2019-03-05-065158 ASB: 1.4.4 create clusterrolebinding process is added to doc.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758