When deploying the ping-pong example SpecialResource CR, SRO fails to create the dependency cert-manager because of missing RBAC permissions. The operator error can be seen on SRO logs from the failed 4.9 nightly e2e CI test here: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-psap-ci-artifacts-release-4.9-sro-e2e-master/1425592979170529280/artifacts/e2e-master/nightly/artifacts/008__sro__capture_deployment_state/sro_operator.log The problem that allowed for this, is that the dependency chart version of cert-manager (v1.3) is not actually being used, so cert-manager is pulling the latest version, which has these changed RBAC requirements. We also want to update the RBAC to allow SRO to deploy the cert-manager v1.5 chart as well.
Verified Result: [mirroradmin@ec2-18-217-45-133 sro]$ oc get specialresources NAME AGE cert-manager 5m17s multi-build 21m ping-pong 5m20s [mirroradmin@ec2-18-217-45-133 sro]$ oc get all -n cert-manager NAME READY STATUS RESTARTS AGE pod/cert-manager-5b578dc44c-x9gk8 1/1 Running 0 5m15s pod/cert-manager-cainjector-548bf687d8-46hg2 1/1 Running 0 5m15s pod/cert-manager-webhook-6d5cb74789-s6d5h 1/1 Running 0 5m15s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/cert-manager ClusterIP 172.30.221.84 <none> 9402/TCP 5m15s service/cert-manager-webhook ClusterIP 172.30.128.1 <none> 443/TCP 5m15s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/cert-manager 1/1 1 1 5m15s deployment.apps/cert-manager-cainjector 1/1 1 1 5m15s deployment.apps/cert-manager-webhook 1/1 1 1 5m15s NAME DESIRED CURRENT READY AGE replicaset.apps/cert-manager-5b578dc44c 1 1 1 5m15s replicaset.apps/cert-manager-cainjector-548bf687d8 1 1 1 5m15s replicaset.apps/cert-manager-webhook-6d5cb74789 1 1 1 5m15s
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759