autocloning no longer works - route creation ahead fails

[henrjk]

Describe the bug
After enabling autocloning the build fails with the following:

[Pipeline] sh (create dummy route for extraction (test-route-1590397255632))
+ oc -n ods30hk-feature-test-jsl-core-branch create route edge test-route-1590397255632 --service=dummy --port=80
+ true
Error from server (Forbidden): routes.route.openshift.io is forbidden: User "system:serviceaccount:ods30hk-cd:jenkins" cannot create routes.route.openshift.io in the namespace "ods30hk-feature-test-jsl-core-branch": RBAC: clusterrole.rbac.authorization.k8s.io "self-provisoner" not found
[Pipeline] sh (get cluster route domain)
+ oc -n ods30hk-feature-test-jsl-core-branch get route test-route-1590397255632 -o 'jsonpath={.spec.host}'
Error from server (Forbidden): routes.route.openshift.io "test-route-1590397255632" is forbidden: User "system:serviceaccount:ods30hk-cd:jenkins" cannot get routes.route.openshift.io in the namespace "ods30hk-feature-test-jsl-core-branch": RBAC: clusterrole.rbac.authorization.k8s.io "self-provisoner" not found

To Reproduce
Steps to reproduce the behavior:

1. In a quickstarter (used be-golang) enable autocloning by changing Jenkinsfile as follows:

√ ods30hk-be-golang-a $ git diff master..feature/test-jsl-core-branch
   branchToEnvironmentMapping: [
     'master': 'dev',
-    // 'release/': 'test'
-  ]
+    'develop': 'dev',
+    'feature/': 'feature',
+    '*': 'dev'
+  ],
+  autoCloneEnvironmentsFromSourceMapping: [
+    'feature': 'dev'
+  ]
 ) { context ->

2. Commit above change into a new branch feature/test-auto-clone and push branch so that build is triggered
3. You can see the error described above in the Jenkins build log.

Expected behavior

Autocloning should work without any issue.

Affected version (please complete the following information):

• OpenShift: [3.11]
• OpenDevStack [3.x]

@Library('ods-jenkins-shared-library@3.x') _
odsComponentPipeline(
  imageStreamTag: 'ods/jenkins-slave-golang:3.x',

[clemensutschig]

@michaelsauter - is this because of your refactoring changes? ... I am quite surprised because the SA rights are global, or?

[henrjk]

I believe the issue is that the OpenShiftService executes the command against the target namespace before it is created. I am getting the same error message if I do this manually.

[clemensutschig]

closed by #351 - @henrjk - please use the attached PR .. that should do it :)

[michaelsauter]

Given the error:

Error from server (Forbidden): routes.route.openshift.io is forbidden: User "system:serviceaccount:ods30hk-cd:jenkins" cannot create routes.route.openshift.io in the namespace "ods30hk-feature-test-jsl-core-branch": RBAC: clusterrole.rbac.authorization.k8s.io "self-provisoner" not found

... it sounds like the permissions are insufficient. To my knowledge, there is nothing in ODS which sets up self-provisioner for the jenkins service account. This happens manually. It can either be done for all service accounts (which is the case in your cluster @henrjk) or be given individually for one service account only.

What I can imagine is that some kind of check fails here that disallows route creation. For example, if you ask oc can-i create project, the answer might be no because you yourself cannot see the cluster rights assigned to you. Which means oc thinks you cannot create projects, but actually you can. Maybe something similar happens here behind the scenes?

[henrjk]

When I recap the change from commit 734cd84 suggested by Clemens, the build advances, but I am now hitting an issue in my code during cloning so that the application domain call after the cloning is not executed.

[henrjk]

Luckily the mentioned issue in my code was an easy fix now cloning actually worked for me.

@michaelsauter does commit 734cd84 makes sense to you?

[michaelsauter]

@henrjk Yes 734cd84 looks right to me. Would be great to have this as a separate PR for easier traceability. Maybe you can extract into a PR from you so that we can merge it into master apart from the other stuff so you can easily test?