OCPBUGS-32887: Allow operator to update Route spec.subdomain #1047
Conversation
Before this commit, cluster-ingress-operator did not have permission to
update spec.host or spec.subdomain on an existing route as the operator's
serviceaccount did not have the necessary "routes/custom-host" permission.
A previous change to the operator had added logic to clear spec.host and
instead set spec.subdomain, but without the required permission, the update
would fail with the following error message:
ERROR operator.init controller/controller.go:265 Reconciler error
{"controller": "canary_controller", "object": {"name":"default","namespace":"openshift-ingress-operator"},
"namespace": "openshift-ingress-operator", "name": "default", "reconcileID": "463061e3-93a1-4067-802e-03e3f1f8cdd0",
"error": "failed to ensure canary route: failed to update canary route openshift-ingress-canary/canary:
Route.route.openshift.io \"canary\" is invalid: spec.subdomain: Invalid value: \"canary-openshift-ingress-canary\": field is immutable"}
This commit adds the needed permission to the clusterrole for the
operator's serviceaccount so that the update can succeed.
This commit fixes OCPBUGS-32887.
https://issues.redhat.com/browse/OCPBUGS-32887
Follow-up to commit 530d326.
* manifests/00-cluster-role.yaml: Add permission for routes/custom-host.
openshift-ci-robot
added
jira/severity-moderate
|
@Miciah: This pull request references Jira Issue OCPBUGS-32887, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
The e2e-aws-operator, e2e-gcp-operator, and e2e-azure-operator jobs all failed on |
|
The |
|
ci/prow/e2e-azure-operator failed because these tests failed:
/test e2e-azure-operator |
|
/lgtm |
openshift-ci
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: frobware The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/assign |
1 similar comment
|
/assign |
|
/retest-required |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@Miciah: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@Miciah: Jira Issue OCPBUGS-32887: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-32887 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[ART PR BUILD NOTIFIER] This PR has been included in build ose-cluster-ingress-operator-container-v4.16.0-202405100946.p0.g5b4f628.assembly.stream.el9 for distgit ose-cluster-ingress-operator. |
|
Fix included in accepted release 4.16.0-0.nightly-2024-05-14-095225 |
Before this change, cluster-ingress-operator did not have permission to update
spec.hostorspec.subdomainon an existing route as the operator's serviceaccount did not have the necessary "routes/custom-host" permission. #965 added logic to the operator to clearspec.hostand instead setspec.subdomain, but without the required permission, the update would fail with the following error message:This PR adds the needed permission to the clusterrole for the operator's serviceaccount so that the update can succeed.