-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create Openshift ProjectRequest attempts to patch #623
Comments
Somehow creating the project request works if I using |
I am not a python programmer, but I think the code flow ends up in the wrong branch here: kubernetes.core/plugins/module_utils/k8s/runner.py Lines 175 to 195 in 54d8193
A regular user can only CREATE projectrequests in the (dumb) Openshift API, and I think the variables used in this if-else do not take that correctly into account... |
Yes, it looks like the refactoring introduced a bug here. |
Thanks for the feedback @gravesm! Is this something that will be fixed? Our upgrade to Ansible 7 is currently blocked by this, and I expect other Openshift users in multi-tenant environments to be affected as well. |
I can't give a date for when this would be fixed. We would certainly consider a PR for this if someone wants to submit one. |
This issue is caused by ansible-collections/kubernetes.core#623 Workaround is to not fail on this task when it is reported that projectrequest already exists.
This issue is caused by ansible-collections/kubernetes.core#623 Workaround is to not fail on this task when it is reported that projectrequest already exists.
The problem appears to be that a Returning
So I would say the issue lies in correctly finding out if the project exists or not. |
Would it be possible to remove the special handling for Openshift custom resources? IMO it does not make sense to adapt a generic collection like |
The culprit here is the Openshift APIs. There is no way to write idempotent code without tailoring the logic around the (broken) kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: self-provisioner
annotations:
openshift.io/description: A user that can request projects.
rbac.authorization.kubernetes.io/autoupdate: 'true'
rules:
- verbs:
- create
apiGroups:
- ''
- project.openshift.io
resources:
- projectrequests Does this collection support
|
Trying to exploit the Openshift-adoption in the referenced code (#623 (comment)), declaring
|
@gravesm Now there's an open PR for some time that could fix this. Please take a look. 🙏 |
SUMMARY
We have a role to create/delete Openshift projects that has been working fine for many Ansible releases. But when attempting to upgrade to Ansible 7, it suddenly fails when attempting to create a new project. The Openshift project API is very confusing, and not idempotent, but this used to work. To create an Openshift project, a user must CREATE a ProjectRequest, which will make the cluster create a new Project (Namespace). This may only happen once, and a user is not allowed to modify (PATCH) any of the project resources.
With Ansible 7, the attempt to create the project fails with the following error (example):
ISSUE TYPE
COMPONENT NAME
kubernetes.core.k8s
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
N/A
STEPS TO REPRODUCE
Pre-requirements: An Openshift cluster with
self-provisioner
access. The project/namespace that we attempt to create must NOT already exist.EXPECTED RESULTS
The project request is CREATED in the Openshift API without error.
ACTUAL RESULTS
The attempt to create the project request fails with error (example):
msg: 'Failed to patch object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"projectrequests.project.openshift.io \\"kafka-rev-ansible-7-g5cfyt\\" is forbidden: User \\"system:serviceaccount:kafka:gitlab\\" cannot patch resource \\"projectrequests\\" in API group \\"project.openshift.io\\" at the cluster scope","reason":"Forbidden","details":{"name":"kafka-rev-ansible-7-g5cfyt","group":"project.openshift.io","kind":"projectrequests"},"code":403}\n''' reason: Forbidden
. Note: the project is actually created by this failing task.The text was updated successfully, but these errors were encountered: