MAISTRA-1153: adds ability to read pods and services

[bartoszmajsak]

Without added rules for ClusterRole IOR fails when deployed to the same ns as istio system.

2020-02-05T12:44:46.523995Z    info    Got info from MCP - 1 object(s)

2020-02-05T12:44:46.524083Z    debug    Object 1: Metadata = name:"ike-ior-test/test-gateway" create_time:<seconds:1580906603 > version:"1078371" annotations:<key:"kubectl.kubernetes.io/last-applied-configuration" value:"{\"apiVersion\":\"networking.istio.io/v1alpha3\",\"kind\":\"Gateway\",\"metadata\":{\"annotations\":{},\"creationTimestamp\":null,\"name\":\"test-gateway\",\"namespace\":\"ike-ior-test\"},\"spec\":{\"selector\":{\"istio\":\"ingressgateway\"},\"servers\":[{\"hosts\":[\"*\"],\"port\":{\"name\":\"http\",\"number\":80,\"protocol\":\"HTTP\"}}]}}\n" >  
2020-02-05T12:44:46.524115Z    debug    Object 1: Gateway = servers:<port:<number:80 protocol:"HTTP" name:"http" > hosts:"*" > selector:<key:"istio" value:"ingressgateway" > 

2020-02-05T12:44:46.524123Z    debug    Creating route for hostname *
2020-02-05T12:44:46.524130Z    info    Gateway ike-ior-test/test-gateway: Wildcard * is not supported at the moment. Letting OpenShift create the hostname instead.
2020-02-05T12:44:46.527736Z    error    Error creating a route for host * (gateway ike-ior-test/test-gateway): could not get the list of pods: pods is forbidden: User "system:serviceaccount:istio-system:ior" cannot list resource "pods" in API group "" in the namespace "istio-system"
2020-02-05T12:44:46.527773Z    debug    Current state: 0 item(ns)

[jwendell]

1. You need a Jira for this, since this is a real bug
2. The proper fix should go into operator repo. This file is just for development purposes (I wonder if it's better to just remove it)

[bartoszmajsak]

1. You need a Jira for this, since this is a real bug

Sure, I will create one tomorrow.

2. The proper fix should go into operator repo. This file is just for development purposes (I wonder if it's better to just remove it)

Wouldn't it be easier if all IOR related thing would live in one place? Anyway - can you point me to it so I can send a PR there?

[jwendell]

1. You need a Jira for this, since this is a real bug

Sure, I will create one tomorrow.

1. The proper fix should go into operator repo. This file is just for development purposes (I wonder if it's better to just remove it)

Wouldn't it be easier if all IOR related thing would live in one place? Anyway - can you point me to it so I can send a PR there?

Yes, that place is the operator, hence my suggestion to drop this file from this repo.

See https://github.com/Maistra/istio-operator/tree/maistra-1.1/resources/helm/overlays/istio/charts/gateways/templates

[bartoszmajsak]

Ok. Understood. You assume istio-operator is the only way of installing IOR. I still see the value of having something here for dev purposes though but now I understand the flow.

[jwendell]

If we are going to keep this file around, this addition must go in.

[bartoszmajsak]

Opened JIRA and PR for that maistra/istio-operator#328