Bug 1993260 - SRO RBAC error when deploying ping-pong CR
Summary: SRO RBAC error when deploying ping-pong CR
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Special Resource Operator
Version: 4.9
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.9.0
Assignee: dagray
QA Contact: liqcui
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-12 16:13 UTC by dagray
Modified: 2021-10-18 17:46 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:46:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift special-resource-operator pull 31 0 None None None 2021-08-16 15:57:08 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:46:34 UTC

Description dagray 2021-08-12 16:13:15 UTC 
When deploying the ping-pong example SpecialResource CR, SRO fails to create the dependency cert-manager because of missing RBAC permissions.

The operator error can be seen on SRO logs from the failed 4.9 nightly e2e CI test here:
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-psap-ci-artifacts-release-4.9-sro-e2e-master/1425592979170529280/artifacts/e2e-master/nightly/artifacts/008__sro__capture_deployment_state/sro_operator.log

The problem that allowed for this, is that the dependency chart version of cert-manager (v1.3) is not actually being used, so cert-manager is pulling the latest version, which has these changed RBAC requirements.

We also want to update the RBAC to allow SRO to deploy the cert-manager v1.5 chart as well.
Comment 3 liqcui 2021-08-31 14:37:57 UTC 
Verified Result:
[mirroradmin@ec2-18-217-45-133 sro]$ oc get specialresources
NAME           AGE
cert-manager   5m17s
multi-build    21m
ping-pong      5m20s
[mirroradmin@ec2-18-217-45-133 sro]$ oc get all -n cert-manager
NAME                                           READY   STATUS    RESTARTS   AGE
pod/cert-manager-5b578dc44c-x9gk8              1/1     Running   0          5m15s
pod/cert-manager-cainjector-548bf687d8-46hg2   1/1     Running   0          5m15s
pod/cert-manager-webhook-6d5cb74789-s6d5h      1/1     Running   0          5m15s

NAME                           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/cert-manager           ClusterIP   172.30.221.84   <none>        9402/TCP   5m15s
service/cert-manager-webhook   ClusterIP   172.30.128.1    <none>        443/TCP    5m15s

NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/cert-manager              1/1     1            1           5m15s
deployment.apps/cert-manager-cainjector   1/1     1            1           5m15s
deployment.apps/cert-manager-webhook      1/1     1            1           5m15s

NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/cert-manager-5b578dc44c              1         1         1       5m15s
replicaset.apps/cert-manager-cainjector-548bf687d8   1         1         1       5m15s
replicaset.apps/cert-manager-webhook-6d5cb74789      1         1         1       5m15s
Comment 6 errata-xmlrpc 2021-10-18 17:46:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759
Note You need to log in before you can comment on or make changes to this bug.