Bug 1806158 - [IPI][OSP] 403 error when creating Swift Image Registry backend without swiftoperator role
Summary: [IPI][OSP] 403 error when creating Swift Image Registry backend without swift...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 4.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.5.0
Assignee: Mike Fedosin
QA Contact: XiuJuan Wang
Depends On:
Blocks: 1810490
TreeView+ depends on / blocked
Reported: 2020-02-22 13:39 UTC by Mike Fedosin
Modified: 2020-08-04 18:01 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1810490 (view as bug list)
Last Closed: 2020-08-04 18:01:47 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-image-registry-operator pull 465 0 None closed Bug 1806158: Ignore Swift backend if the user doesn't have required permissions 2020-06-23 08:44:33 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-08-04 18:01:50 UTC

Description Mike Fedosin 2020-02-22 13:39:03 UTC
When I deploy a cluster on OpenStack with Swift enabled, but without swiftoperator role, cluster-image-registry-operator fails to create a container and I get 403 error during the installation.

Comment 1 Adam Kaplan 2020-02-27 21:28:08 UTC
`swiftoperator` role is a prerequisite for IPI installs on OpenStack [1]. Customers who don't want to do this should use the UPI flows instead [2]. In 4.4 we will need to update this document to allow customers to use RWO storage via a PVC.

[1] https://docs.openshift.com/container-platform/4.3/installing/installing_openstack/installing-openstack-installer-custom.html#installation-osp-enabling-swift_installing-openstack-installer-custom
[2] https://docs.openshift.com/container-platform/4.3/installing/installing_openstack/installing-openstack-installer-custom.html

Comment 4 XiuJuan Wang 2020-03-18 03:28:56 UTC
It's same behavior with https://bugzilla.redhat.com/show_bug.cgi?id=1810490#c4 , pvc is in pending status, no pv bound.
Test in 4.5.0-0.nightly-2020-03-17-011909 cluster

$oc get pods
NAME                                               READY   STATUS    RESTARTS   AGE
cluster-image-registry-operator-8548dc8975-gf42b   2/2     Running   0          43m
image-registry-564c5b68d4-4n8rw                    0/1     Pending   0          43m
node-ca-dktf4                                      1/1     Running   0          43m
node-ca-k8vkn                                      1/1     Running   0          43m
node-ca-vjql9                                      1/1     Running   0          43m
node-ca-x8mfp                                      1/1     Running   0          37m

$ oc get pvc  -o yaml 
apiVersion: v1
- apiVersion: v1
  kind: PersistentVolumeClaim
      imageregistry.openshift.io: "true"
      volume.beta.kubernetes.io/storage-provisioner: kubernetes.io/cinder
      volume.kubernetes.io/selected-node: wxjosp2-p2sxl-worker-ctx9r
    creationTimestamp: "2020-03-18T02:41:37Z"
    - kubernetes.io/pvc-protection
    name: image-registry-storage
    namespace: openshift-image-registry
    resourceVersion: "29921"
    selfLink: /api/v1/namespaces/openshift-image-registry/persistentvolumeclaims/image-registry-storage
    uid: 57f9759b-df16-4d96-bde2-980a207c216c
    - ReadWriteOnce
        storage: 100Gi
    storageClassName: standard
    volumeMode: Filesystem
    phase: Pending
kind: List
  resourceVersion: ""
  selfLink: ""

$oc get pv  --all-namespaces 
No resources found

Comment 8 errata-xmlrpc 2020-08-04 18:01:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5 image release advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.