<div dir="ltr">This is my fault as the docker image <a href="http://docker.io/ansibleplaybookbundle/origin-ansible-service-broker:v3.7">docker.io/ansibleplaybookbundle/origin-ansible-service-broker:v3.7</a> wasn't updated and still the old one.<div><br></div><div>I have redeployed and the problem is gone. Thanks</div><div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:10px"><div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, Mar 2, 2018 at 3:24 PM, David Zager <span dir="ltr"><<a href="mailto:dzager@redhat.com" target="_blank">dzager@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Something is not right here. The original error message posted was:<span class=""><div><span style="color:rgb(33,33,33)"><br></span></div><div><span style="color:rgb(33,33,33)">[2018-02-28T20:33:59.598Z] [ERROR] - </span><b style="color:rgb(33,33,33)">unable to create network policy object - User "system:serviceaccount:<wbr>openshift-ansible-service-<wbr>broker:asb" cannot create <a href="http://networkpolicies.networking.k8s.io/" target="_blank">networkpolicies.<wbr>networking.k8s.io</a> in the namespace "project31": User "system:serviceaccount:<wbr>openshift-ansible-service-<wbr>broker:asb" cannot create <a href="http://networkpolicies.networking.k8s.io/" target="_blank">networkpolicies.<wbr>networking.k8s.io</a> in project "project31" (post <a href="http://networkpolicies.networking.k8s.io/" target="_blank">networkpolicies.<wbr>networking.k8s.io</a>)</b></div><div><br></div></span><div>and it comes from <a href="https://github.com/openshift/ansible-service-broker/blob/ff1f14a421dbdab5834ebd994615081db0f09ac5/pkg/runtime/runtime.go#L225" target="_blank">https://github.com/openshift/<wbr>ansible-service-broker/blob/<wbr>ff1f14a421dbdab5834ebd99461508<wbr>1db0f09ac5/pkg/runtime/<wbr>runtime.go#L225</a> but pkg/runtime/runtime.go does not exist in the v3.7 image:</div><div><br></div><div><div>$ docker pull <a href="http://docker.io/ansibleplaybookbundle/origin-ansible-service-broker:v3.7" target="_blank">docker.io/<wbr>ansibleplaybookbundle/origin-<wbr>ansible-service-broker:v3.7</a></div><div>Trying to pull repository <a href="http://docker.io/ansibleplaybookbundle/origin-ansible-service-broker" target="_blank">docker.io/<wbr>ansibleplaybookbundle/origin-<wbr>ansible-service-broker</a> ...</div><div>sha256:<wbr>25026da783b7b8777f07fc90fefd03<wbr>7bb785424d5a7f364875e9df6d0321<wbr>d76b: Pulling from <a href="http://docker.io/ansibleplaybookbundle/origin-ansible-service-broker" target="_blank">docker.io/<wbr>ansibleplaybookbundle/origin-<wbr>ansible-service-broker</a></div><div>Digest: sha256:<wbr>25026da783b7b8777f07fc90fefd03<wbr>7bb785424d5a7f364875e9df6d0321<wbr>d76b</div><div>Status: Image is up to date for <a href="http://docker.io/ansibleplaybookbundle/origin-ansible-service-broker:v3.7" target="_blank">docker.io/<wbr>ansibleplaybookbundle/origin-<wbr>ansible-service-broker:v3.7</a></div></div><div><br></div><div><div>$ docker run -it --entrypoint /bin/bash <a href="http://docker.io/ansibleplaybookbundle/origin-ansible-service-broker:v3.7" target="_blank">docker.io/<wbr>ansibleplaybookbundle/origin-<wbr>ansible-service-broker:v3.7</a></div><div>bash-4.2$ ls $GOPATH/src/<a href="http://github.com/openshift/ansible-service-broker/pkg/runtime" target="_blank">github.com/<wbr>openshift/ansible-service-<wbr>broker/pkg/runtime</a></div><div>hack.go</div><div># Furthermore, searching for that error message in the v3.7 image shows that error doesn't exist in the v3.7 image</div><div><div>bash-4.2$ grep -r 'unable to create' $GOPATH/src/<a href="http://github.com/openshift/ansible-service-broker/pkg" target="_blank">github.com/<wbr>openshift/ansible-service-<wbr>broker/pkg</a></div></div></div><div><br></div><div>The most likely cause for this is that the broker image was not updated. I am open to other possibilities, could you rule this one out please?</div><div><br></div><div>Respectfully,</div><div>David Zager</div><div><br></div><div><br></div></div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Fri, Mar 2, 2018 at 9:12 AM Ryan Hallisey <<a href="mailto:rhallise@redhat.com" target="_blank">rhallise@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>In case this helps Charles, a temporary work around would be to: oc edit clusterrole asb-auth<br></div><br>and add:<br><br>  - apiGroups: ["<a href="http://network.openshift.io" target="_blank">network.openshift.io</a>", ""]<br>    attributeRestrictions: null<br>    resources: ["clusternetworks", "netnamespaces"]<br>    verbs: ["get"]<br>  - apiGroups: ["<a href="http://network.openshift.io" target="_blank">network.openshift.io</a>", ""]<br>    attributeRestrictions: null<br>    resources: ["netnamespaces"]<br>    verbs: ["update"]<br>  - apiGroups: ["<a href="http://networking.k8s.io" target="_blank">networking.k8s.io</a>", ""]<br>    attributeRestrictions: null<br>    resources: ["networkpolicies"]<br>    verbs: ["create", "delete"]<br><br><br></div><div>Thanks,<br></div>- Ryan<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 2, 2018 at 9:03 AM, Charles Moulliard <span dir="ltr"><<a href="mailto:cmoullia@redhat.com" target="_blank">cmoullia@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">We have redeployed using openshift-ansible playbook ASB using image v3.,7 and networkpolicies issue is still there<div><div class="m_1560058596939177541m_-5334516735271281297h5"><div class="gmail_extra"><div><div class="m_1560058596939177541m_-5334516735271281297m_-1126900832318680940gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:10px"><div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Mar 1, 2018 at 4:19 PM, David Zager <span dir="ltr"><<a href="mailto:dzager@redhat.com" target="_blank">dzager@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Greetings Charles,<div><br></div><div>The image in question, <a href="https://hub.docker.com/r/ansibleplaybookbundle/origin-ansible-service-broker/tags/" target="_blank">docker.io/<wbr>ansibleplaybookbundle/origin-<wbr>ansible-service-broker:v3.7</a> has been updated to be built using the code from the <a href="https://github.com/openshift/ansible-service-broker/tree/release-1.0" target="_blank">release-1.0</a> branch of the broker project. Apologies for the trouble and thank you for helping us find the root cause.</div><div><br></div><div><a href="https://github.com/openshift/ansible-service-broker/pull/803" target="_blank">https://github.com/openshift/<wbr>ansible-service-broker/pull/<wbr>803</a> should prevent this from happening in the future.<br></div><div><br></div><div>Respectfully,<br>David Zager</div><div><div class="m_1560058596939177541m_-5334516735271281297m_-1126900832318680940h5"><br><div class="gmail_quote"><div dir="ltr">On Thu, Mar 1, 2018 at 9:45 AM Shawn Hurley <<a href="mailto:shurley@redhat.com" target="_blank">shurley@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Hello Charles,<div><br></div><div>It appears that we have had a little mix up on the versions that we tagged. You are currently getting the canary version of the broker. </div><div>We are working on rebuilding and re-tagging the correct images and will keep everyone informed with this email thread. Sorry about the mix up.</div><div><br></div><div>Thanks,</div><div><br></div><div>Shawn Hurley</div></div><div style="word-wrap:break-word;line-break:after-white-space"><div><div><br><blockquote type="cite"><div>On Mar 1, 2018, at 12:40 AM, Charles Moulliard <<a href="mailto:cmoullia@redhat.com" target="_blank">cmoullia@redhat.com</a>> wrote:</div><br class="m_1560058596939177541m_-5334516735271281297m_-1126900832318680940m_-6534722783986833145m_6098939470900032556m_479842504126028098Apple-interchange-newline"><div><div dir="ltr">I confirm that version 3.7 has been installed<div><br></div><div><a href="https://www.dropbox.com/s/h7m72h23k7myjyw/Screenshot%202018-03-01%2006.39.40.png?dl=0" target="_blank">https://www.dropbox.com/s/<wbr>h7m72h23k7myjyw/Screenshot%<wbr>202018-03-01%2006.39.40.png?<wbr>dl=0</a><br></div><div class="gmail_extra"><div><div class="m_1560058596939177541m_-5334516735271281297m_-1126900832318680940m_-6534722783986833145m_6098939470900032556m_479842504126028098gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-family:overpass,sans-serif;font-size:10px"><div style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><br></div><div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Mar 1, 2018 at 12:47 AM, Erik Nelson <span dir="ltr"><<a href="mailto:ernelson@redhat.com" target="_blank">ernelson@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Charles, you guys are deploying upstream origin with<br>
openshift-ansible? We discovered today thanks to your report that the<br>
upstream openshift-ansible code was configured to default to "latest"<br>
broker images, which is our 3.9 image. I will see if I can reproduce<br>
your issue as well.<br>
<br>
+1 to shurley's comment, we have to confirm what version of the image<br>
you are running, via tag.<br>
<div class="m_1560058596939177541m_-5334516735271281297m_-1126900832318680940m_-6534722783986833145m_6098939470900032556m_479842504126028098HOEnZb"><div class="m_1560058596939177541m_-5334516735271281297m_-1126900832318680940m_-6534722783986833145m_6098939470900032556m_479842504126028098h5"><br>
On Wed, Feb 28, 2018 at 6:42 PM, Shawn Hurley <<a href="mailto:shurley@redhat.com" target="_blank">shurley@redhat.com</a>> wrote:<br>
> Hi Charles,<br>
><br>
> v3.7 should not be attempting to anything with network policies, can you<br>
> please double check the deployment config and tell us the version of the<br>
> image that is being deployed. If it is 3.7 then we have another issue that<br>
> we will need to solve.<br>
><br>
> ansible_service_broker_image_<wbr>tag should override the tag value, if that is<br>
> not working then we will need to do a deeper dive on the openshift-ansible<br>
> code.<br>
><br>
> If you would like to just “work around” this then you could add a cluster<br>
> role binding and role to grant access to the asb service account to<br>
> manipulate the network policies.<br>
><br>
> Regards,<br>
><br>
> Shawn Hurley<br>
><br>
> On Feb 28, 2018, at 3:44 PM, Charles Moulliard <<a href="mailto:cmoullia@redhat.com" target="_blank">cmoullia@redhat.com</a>> wrote:<br>
><br>
> Hi,<br>
><br>
> There is still an issue with the ansible playbook installing ASB on<br>
> openshift 3.7<br>
> When the inventory is configured using these parameters<br>
><br>
> git clone -b release-3.7 <a href="mailto:git@github.com" target="_blank">git@github.com</a>:openshift/<wbr>openshift-ansible.git<br>
><br>
> openshift_enable_service_<wbr>catalog=true<br>
> ansible_service_broker_<wbr>registry_whitelist=['.*-apb$']<br>
> ansible_service_broker_image_<wbr>tag=v3.7<br>
><br>
> then, the following error is reported within the APB pod during<br>
> serviceinstance creation<br>
><br>
> [2018-02-28T20:33:59.585Z] [NOTICE] - Creating RoleBinding<br>
> apb-49d8c2a2-6d12-474c-87a2-<wbr>a220bda6ba0d<br>
> [2018-02-28T20:33:59.598Z] [ERROR] - unable to create network policy object<br>
> - User "system:serviceaccount:<wbr>openshift-ansible-service-<wbr>broker:asb" cannot<br>
> create <a href="http://networkpolicies.networking.k8s.io/" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a> in the namespace "project31": User<br>
> "system:serviceaccount:<wbr>openshift-ansible-service-<wbr>broker:asb" cannot create<br>
> <a href="http://networkpolicies.networking.k8s.io/" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a> in project "project31" (post<br>
> <a href="http://networkpolicies.networking.k8s.io/" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a>)<br>
>  project "project31" (post <a href="http://networkpolicies.networking.k8s.io/" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a>)<br>
><br>
> As you can see, the clusterrole of asb-auth is still missing the following<br>
> info<br>
> <a href="https://goo.gl/HfJnj8" rel="noreferrer" target="_blank">https://goo.gl/HfJnj8</a><br>
><br>
> Can somebody fix the error please for ansible openshift 3.7 ?<br>
><br>
> Regards<br>
><br>
> Charles<br>
> ______________________________<wbr>_________________<br>
> Ansible-service-broker mailing list<br>
> <a href="mailto:Ansible-service-broker@redhat.com" target="_blank">Ansible-service-broker@redhat.<wbr>com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/ansible-service-broker" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/ansible-<wbr>service-broker</a><br>
><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Ansible-service-broker mailing list<br>
> <a href="mailto:Ansible-service-broker@redhat.com" target="_blank">Ansible-service-broker@redhat.<wbr>com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/ansible-service-broker" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/ansible-<wbr>service-broker</a><br>
><br>
</div></div></blockquote></div><br></div></div>
</div></blockquote></div><br></div></div>______________________________<wbr>_________________<br>
Ansible-service-broker mailing list<br>
<a href="mailto:Ansible-service-broker@redhat.com" target="_blank">Ansible-service-broker@redhat.<wbr>com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/ansible-service-broker" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/ansible-<wbr>service-broker</a><br>
</blockquote></div></div></div></div>
</blockquote></div><br></div></div></div></div>
<br>______________________________<wbr>_________________<br>
Ansible-service-broker mailing list<br>
<a href="mailto:Ansible-service-broker@redhat.com" target="_blank">Ansible-service-broker@redhat.<wbr>com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/ansible-service-broker" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/ansible-<wbr>service-broker</a><br>
<br></blockquote></div><br></div>
</blockquote></div>
</div></div></blockquote></div><br></div></div>