-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix RBAC for openshift and add openshift compatibility #1395
Fix RBAC for openshift and add openshift compatibility #1395
Conversation
Hi @JGodin-C2C. Thanks for your PR. I'm waiting for a jetstack or cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
79b3198
to
2ebd67c
Compare
2ebd67c
to
cf44cc7
Compare
/assign @munnerz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for investigating and testing here 😄 I've added some comments, if you could try it again without those permissions that'd be great 🙏
@@ -10,14 +10,19 @@ metadata: | |||
heritage: {{ .Release.Service }} | |||
rules: | |||
- apiGroups: ["certmanager.k8s.io"] | |||
resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"] | |||
resources: ["certificates", "certificates/finalizers", "issuers", "issuers/finalizers","clusterissuers", "orders", "orders/finalizers", "challenges", "challenges/finalizers"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't use finalizers on Issuer resources - are you sure this permission is required?
verbs: ["*"] | ||
- apiGroups: [""] | ||
resources: ["configmaps", "secrets", "events", "services", "pods"] | ||
resources: ["configmaps", "secrets", "secrets/finalizers","events", "services", "services/finalizers","pods", "pods/finalizers"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't use finalizers on secrets, services or pods 😄
verbs: ["*"] | ||
- apiGroups: ["extensions"] | ||
resources: ["ingresses"] | ||
resources: ["ingresses", "ingresses/finalizers", "ingresses/status"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm surprised we need any of these as we don't use finalizers or the status subresource on ingresses 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need the finalzer for this as it fire this error
ingress-shim controller: Re-queuing item "hello-world-ssl/prod-ingress" due to error processing: certificates.certmanager.k8s.io "prod-ingress-ssl" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: no RBAC policy matched, <nil>
The status, however, does not seems to be needed
That however , may be an openshift centric problem
verbs: ["*"] | ||
{{- if .Values.global.isOpenshift }} | ||
- apiGroups: ["route.openshift.io"] | ||
resources: ["routes", "routes/custom-host", "routes/finalizers"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this required? We don't modify 'route' resources ever, so I'm surprised this is needed 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, i will first answer this , as this was the most difficult one to find.
i have no idea why , but it looks like openshift NEEDS these rules to modify the ingress.
Thanks for the feedback , i will checkity check all this . thanks ! 💪 |
cf44cc7
to
c69e1e0
Compare
ok, so , here is the refined list of rights |
/ok-to-test |
I guess all these are errors on the test suite as i dont see any of my part ? |
It looks like some of the test failures are genuine failures caused by this PR (notably, the /retest |
How can i launch the test suite on my machine ? any documentation about all this ? J\x00 |
👋 you need to bump the chart version as part of this PR as well, as you're modifying the Helm chart. If you look in After you've done this, you'll need to run |
4177ee2
to
a774712
Compare
a774712
to
f96debb
Compare
f96debb
to
78f7ee9
Compare
Thanks for your persistence here 😄 /lgtm |
78f7ee9
to
16e65a3
Compare
Well , looks like i was too late. |
🙈 I'm really sorry, there's just been a new change to these files which has once again caused your branch to go out of date. One day soon we'll remove the requirement to bump the chart version in the repo altogether, as it's just really annoying and doesn't help anyone. Would you mind doing it one more time, and then I'll lgtm & approve this PR before others? |
Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
Co-Authored-By: JGodin-C2C <40758407+JGodin-C2C@users.noreply.github.com> Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
16e65a3
to
240f3fc
Compare
Are we there yet ? 😄 |
/retest |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JGodin-C2C, munnerz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
🎉 |
Thanks for the hard work on this, and sorry it's taken so long! |
What this PR does / why we need it:
This PR relaxes some right in order to enable this Chart to be deployed flawlessly on Openshift.
Special notes for your reviewer:
This helm chart have some trouble launching the webhook, after investigation, it sounded like it had some trouble creating or editing some of the needed secrets.
Also, cert-manager needs to edit ingress. This cannot be done with the actual rights of this chart.