Description of problem: Can't change the annotations of a group if the name is an LDAP name. Only "oc annotate" fails while other commands work. See the steps to reproduce. Version-Release number of selected component (if applicable): 4.6.9 How reproducible: Always Steps to Reproduce: $ oc get group.user.openshift.io NAME USERS CN=Group1,OU=Groups,OU=People,DC=example,DC=local $ oc get group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local -o yaml apiVersion: user.openshift.io/v1 kind: Group metadata: creationTimestamp: "2021-01-18T08:43:02Z" name: CN=Group1,OU=Groups,OU=People,DC=example,DC=local resourceVersion: "86058" selfLink: /apis/user.openshift.io/v1/groups/CN%3DGroup1%2COU%3DGroups%2COU%3DPeople%2CDC%3Dexample%2CDC%3Dlocal uid: c4671196-9832-4215-933d-aae8ea63ff8a users: null $ oc annotate group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local openshift.io/ldap.url=ldap.example.local:389 error: one or more resources must be specified as <resource> <name> or <resource>/<name> $ oc patch group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local -p '{"metadata":{"annotations":{"openshift.io/ldap.url": "ldap.example.local:389"}}}' group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local patched $ oc get group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local -o yaml apiVersion: user.openshift.io/v1 kind: Group metadata: annotations: openshift.io/ldap.url: ldap.example.local:389 creationTimestamp: "2021-01-18T08:43:02Z" name: CN=Group1,OU=Groups,OU=People,DC=example,DC=local resourceVersion: "86058" selfLink: /apis/user.openshift.io/v1/groups/CN%3DGroup1%2COU%3DGroups%2COU%3DPeople%2CDC%3Dexample%2CDC%3Dlocal uid: c4671196-9832-4215-933d-aae8ea63ff8a users: null $ oc adm groups new group1 group.user.openshift.io/group1 created $ oc annotate group.user.openshift.io/group1 openshift.io/ldap.url=ldap.example.local:389 group.user.openshift.io/group1 annotated Actual results: "oc patch" is unable to parse the command line properly to detect the annotation and group name. Expected results: "oc patch" should be able to parse the command line properly no matter the group name.
Correction to Actual results: "oc annotate" is unable to parse the command line properly to detect the annotation and group name. Correction to Expected results: "oc annotate" should be able to parse the command line properly no matter the group name.
*** Bug 1917277 has been marked as a duplicate of this bug. ***
There's a temporary workaround to save the group in a file and then invoke: oc get group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local -o yaml>group.yaml oc annotate -f group.yaml openshift.io/ldap.url=ldap.example.local:389 This will allow annotation to work right away. The problem at hand is that LDAP group contains characters such as '=' (equal sign) and ',' (comma) which are used for passing multiple resources (comma) or to pass key=value pairs for annotation (equal sign). I'm not sure how far we can go with fixing this issue, but I hope this workaround is a reasonable middle ground for now, at least.
Thanks Maciej. I offered as a workaround the "oc patch" approach but yours can work also. I wonder how "oc patch" does the parsing as it's also a command prone to have also , (comma) and = (equal) signs but it definitively works.
(In reply to Sergio G. from comment #4) > Thanks Maciej. I offered as a workaround the "oc patch" approach but yours > can work also. > > I wonder how "oc patch" does the parsing as it's also a command prone to > have also , (comma) and = (equal) signs but it definitively works. oc patch has a different schematics so it's not affected by above problems.
Robert, given this limitation, I'd suggest opening a doc update and sync with Andrea who manages our docs effort.
This will be included in the docs, since this won't be solved due to how annotate works upstream and there exists viable workaround I'm going to close this as is.