[Ansible-service-broker] Issue with playbook of ansible service broker - missing networkpolicies

Charles Moulliard cmoullia at redhat.com
Fri Mar 2 19:53:47 UTC 2018 

I experiment nevertheless a new issue with docker image v3.7 now as no
secret is created duriing binding step

https://www.dropbox.com/s/ufimavnt8bscdq2/Screenshot%202018-03-02%2020.49.15.png?dl=0

https://gist.github.com/cmoulliard/dc2c947514ba8a30b17b72671650c906

On Fri, Mar 2, 2018 at 8:47 PM, David Zager <dzager at redhat.com> wrote:

> No worries. You were essential to us realizing that what we thought were
> release specific broker images were not correct. Thank you for that and
> your patience throughout.
>
>
> On Fri, Mar 2, 2018, 14:33 Charles Moulliard <cmoullia at redhat.com> wrote:
>
>> This is my fault as the docker image docker.io/
>> ansibleplaybookbundle/origin-ansible-service-broker:v3.7 wasn't updated
>> and still the old one.
>>
>> I have redeployed and the problem is gone. Thanks
>>
>> On Fri, Mar 2, 2018 at 3:24 PM, David Zager <dzager at redhat.com> wrote:
>>
>>> Something is not right here. The original error message posted was:
>>>
>>> [2018-02-28T20:33:59.598Z] [ERROR] - *unable to create network policy
>>> object - User "system:serviceaccount:openshift-ansible-service-broker:asb"
>>> cannot create networkpolicies.networking.k8s.io
>>> <http://networkpolicies.networking.k8s.io/> in the namespace "project31":
>>> User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot
>>> create networkpolicies.networking.k8s.io
>>> <http://networkpolicies.networking.k8s.io/> in project "project31"
>>> (post networkpolicies.networking.k8s.io
>>> <http://networkpolicies.networking.k8s.io/>)*
>>>
>>> and it comes from https://github.com/openshift/
>>> ansible-service-broker/blob/ff1f14a421dbdab5834ebd99461508
>>> 1db0f09ac5/pkg/runtime/runtime.go#L225 but pkg/runtime/runtime.go does
>>> not exist in the v3.7 image:
>>>
>>> $ docker pull docker.io/ansibleplaybookbundle/origin-
>>> ansible-service-broker:v3.7
>>> Trying to pull repository docker.io/ansibleplaybookbundle/origin-
>>> ansible-service-broker ...
>>> sha256:25026da783b7b8777f07fc90fefd037bb785424d5a7f364875e9df6d0321d76b:
>>> Pulling from docker.io/ansibleplaybookbundle/origin-
>>> ansible-service-broker
>>> Digest: sha256:25026da783b7b8777f07fc90fefd03
>>> 7bb785424d5a7f364875e9df6d0321d76b
>>> Status: Image is up to date for docker.io/ansibleplaybookbundle/origin-
>>> ansible-service-broker:v3.7
>>>
>>> $ docker run -it --entrypoint /bin/bash docker.io/
>>> ansibleplaybookbundle/origin-ansible-service-broker:v3.7
>>> bash-4.2$ ls $GOPATH/src/github.com/openshift/ansible-service-
>>> broker/pkg/runtime
>>> hack.go
>>> # Furthermore, searching for that error message in the v3.7 image shows
>>> that error doesn't exist in the v3.7 image
>>> bash-4.2$ grep -r 'unable to create' $GOPATH/src/github.com/
>>> openshift/ansible-service-broker/pkg
>>>
>>> The most likely cause for this is that the broker image was not updated.
>>> I am open to other possibilities, could you rule this one out please?
>>>
>>> Respectfully,
>>> David Zager
>>>
>>>
>>>
>>> On Fri, Mar 2, 2018 at 9:12 AM Ryan Hallisey <rhallise at redhat.com>
>>> wrote:
>>>
>>>> In case this helps Charles, a temporary work around would be to: oc
>>>> edit clusterrole asb-auth
>>>>
>>>> and add:
>>>>
>>>>   - apiGroups: ["network.openshift.io", ""]
>>>>     attributeRestrictions: null
>>>>     resources: ["clusternetworks", "netnamespaces"]
>>>>     verbs: ["get"]
>>>>   - apiGroups: ["network.openshift.io", ""]
>>>>     attributeRestrictions: null
>>>>     resources: ["netnamespaces"]
>>>>     verbs: ["update"]
>>>>   - apiGroups: ["networking.k8s.io", ""]
>>>>     attributeRestrictions: null
>>>>     resources: ["networkpolicies"]
>>>>     verbs: ["create", "delete"]
>>>>
>>>>
>>>> Thanks,
>>>> - Ryan
>>>>
>>>> On Fri, Mar 2, 2018 at 9:03 AM, Charles Moulliard <cmoullia at redhat.com>
>>>> wrote:
>>>>
>>>>> We have redeployed using openshift-ansible playbook ASB using image
>>>>> v3.,7 and networkpolicies issue is still there
>>>>>
>>>>> On Thu, Mar 1, 2018 at 4:19 PM, David Zager <dzager at redhat.com> wrote:
>>>>>
>>>>>> Greetings Charles,
>>>>>>
>>>>>> The image in question, docker.io/ansibleplaybookbundle/origin-
>>>>>> ansible-service-broker:v3.7
>>>>>> <https://hub.docker.com/r/ansibleplaybookbundle/origin-ansible-service-broker/tags/>
>>>>>> has been updated to be built using the code from the release-1.0
>>>>>> <https://github.com/openshift/ansible-service-broker/tree/release-1.0> branch
>>>>>> of the broker project. Apologies for the trouble and thank you for helping
>>>>>> us find the root cause.
>>>>>>
>>>>>> https://github.com/openshift/ansible-service-broker/pull/803 should
>>>>>> prevent this from happening in the future.
>>>>>>
>>>>>> Respectfully,
>>>>>> David Zager
>>>>>>
>>>>>> On Thu, Mar 1, 2018 at 9:45 AM Shawn Hurley <shurley at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello Charles,
>>>>>>>
>>>>>>> It appears that we have had a little mix up on the versions that we
>>>>>>> tagged. You are currently getting the canary version of the broker.
>>>>>>> We are working on rebuilding and re-tagging the correct images and
>>>>>>> will keep everyone informed with this email thread. Sorry about the mix up.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Shawn Hurley
>>>>>>>
>>>>>>> On Mar 1, 2018, at 12:40 AM, Charles Moulliard <cmoullia at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> I confirm that version 3.7 has been installed
>>>>>>>
>>>>>>> https://www.dropbox.com/s/h7m72h23k7myjyw/Screenshot%
>>>>>>> 202018-03-01%2006.39.40.png?dl=0
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Mar 1, 2018 at 12:47 AM, Erik Nelson <ernelson at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Charles, you guys are deploying upstream origin with
>>>>>>>> openshift-ansible? We discovered today thanks to your report that
>>>>>>>> the
>>>>>>>> upstream openshift-ansible code was configured to default to
>>>>>>>> "latest"
>>>>>>>> broker images, which is our 3.9 image. I will see if I can reproduce
>>>>>>>> your issue as well.
>>>>>>>>
>>>>>>>> +1 to shurley's comment, we have to confirm what version of the
>>>>>>>> image
>>>>>>>> you are running, via tag.
>>>>>>>>
>>>>>>>> On Wed, Feb 28, 2018 at 6:42 PM, Shawn Hurley <shurley at redhat.com>
>>>>>>>> wrote:
>>>>>>>> > Hi Charles,
>>>>>>>> >
>>>>>>>> > v3.7 should not be attempting to anything with network policies,
>>>>>>>> can you
>>>>>>>> > please double check the deployment config and tell us the version
>>>>>>>> of the
>>>>>>>> > image that is being deployed. If it is 3.7 then we have another
>>>>>>>> issue that
>>>>>>>> > we will need to solve.
>>>>>>>> >
>>>>>>>> > ansible_service_broker_image_tag should override the tag value,
>>>>>>>> if that is
>>>>>>>> > not working then we will need to do a deeper dive on the
>>>>>>>> openshift-ansible
>>>>>>>> > code.
>>>>>>>> >
>>>>>>>> > If you would like to just “work around” this then you could add a
>>>>>>>> cluster
>>>>>>>> > role binding and role to grant access to the asb service account
>>>>>>>> to
>>>>>>>> > manipulate the network policies.
>>>>>>>> >
>>>>>>>> > Regards,
>>>>>>>> >
>>>>>>>> > Shawn Hurley
>>>>>>>> >
>>>>>>>> > On Feb 28, 2018, at 3:44 PM, Charles Moulliard <
>>>>>>>> cmoullia at redhat.com> wrote:
>>>>>>>> >
>>>>>>>> > Hi,
>>>>>>>> >
>>>>>>>> > There is still an issue with the ansible playbook installing ASB
>>>>>>>> on
>>>>>>>> > openshift 3.7
>>>>>>>> > When the inventory is configured using these parameters
>>>>>>>> >
>>>>>>>> > git clone -b release-3.7 git at github.com:openshift/
>>>>>>>> openshift-ansible.git
>>>>>>>> >
>>>>>>>> > openshift_enable_service_catalog=true
>>>>>>>> > ansible_service_broker_registry_whitelist=['.*-apb$']
>>>>>>>> > ansible_service_broker_image_tag=v3.7
>>>>>>>> >
>>>>>>>> > then, the following error is reported within the APB pod during
>>>>>>>> > serviceinstance creation
>>>>>>>> >
>>>>>>>> > [2018-02-28T20:33:59.585Z] [NOTICE] - Creating RoleBinding
>>>>>>>> > apb-49d8c2a2-6d12-474c-87a2-a220bda6ba0d
>>>>>>>> > [2018-02-28T20:33:59.598Z] [ERROR] - unable to create network
>>>>>>>> policy object
>>>>>>>> > - User "system:serviceaccount:openshift-ansible-service-broker:asb"
>>>>>>>> cannot
>>>>>>>> > create networkpolicies.networking.k8s.io in the namespace
>>>>>>>> "project31": User
>>>>>>>> > "system:serviceaccount:openshift-ansible-service-broker:asb"
>>>>>>>> cannot create
>>>>>>>> > networkpolicies.networking.k8s.io in project "project31" (post
>>>>>>>> > networkpolicies.networking.k8s.io)
>>>>>>>> >  project "project31" (post networkpolicies.networking.k8s.io)
>>>>>>>> >
>>>>>>>> > As you can see, the clusterrole of asb-auth is still missing the
>>>>>>>> following
>>>>>>>> > info
>>>>>>>> > https://goo.gl/HfJnj8
>>>>>>>> >
>>>>>>>> > Can somebody fix the error please for ansible openshift 3.7 ?
>>>>>>>> >
>>>>>>>> > Regards
>>>>>>>> >
>>>>>>>> > Charles
>>>>>>>> > _______________________________________________
>>>>>>>> > Ansible-service-broker mailing list
>>>>>>>> > Ansible-service-broker at redhat.com
>>>>>>>> > https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > _______________________________________________
>>>>>>>> > Ansible-service-broker mailing list
>>>>>>>> > Ansible-service-broker at redhat.com
>>>>>>>> > https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>>>>>> >
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Ansible-service-broker mailing list
>>>>>>> Ansible-service-broker at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ansible-service-broker mailing list
>>>>> Ansible-service-broker at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>>>
>>>>>
>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ansible-service-broker/attachments/20180302/a6db6197/attachment.htm>

More information about the Ansible-service-broker mailing list