Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Broken tagging between projects with 1.0.12 #40

Closed
livelace opened this issue May 20, 2016 · 5 comments
Closed

Broken tagging between projects with 1.0.12 #40

livelace opened this issue May 20, 2016 · 5 comments
Assignees
@gabemontero

Comments

@livelace
Copy link

livelace commented May 20, 2016
edited
Loading

https://paste.fedoraproject.org/368841/14637447/

With 1.0.11 all working fine.
@gabemontero
Copy link
Contributor

OK ... I think I've reproduced this, though some confirmation of the details would be good.
In particular, from the job output provided, I surmised that:

  1. Jenkins was not running in either of the projects involved in the tagging
  2. as such, you provided auth tokens for both the source and destination projects
  3. I took at stab and guessed you provided edit access of the destination project to the service account of the source project
  4. If so, I believe I saw the tagging work from scratch with v1.0.11, but not work with v1.0.12
  5. Conversely, if the image stream already existed, it failed with v1.0.11 (a known bug I fixed in v1.0.12), but worked with v1.0.12

Also, after reproducing, I was able to address the issue without having to make a code change to the plugin, but instead run an additional oc policy add-role-to-user command, adding edit access of the source project to the service account of the destination project (the inverse if you will for what I did in 3) above). When doing this, the tagging then worked for me (irregardless of whether the ImageStream previously existed or not) with v1.0.12.

With those details, and for handling the previous bug wrt the image stream existing, I believe this is the correct approach (updating the policy of the service account of each project), and I'll be updating the README.

@livelace - assuming my repro attempt sounds close enough to your env, please try adding edit access to the service accounts of each project to themselves as well as the project on the other side of the oc tag operation, and let me know the results.

@livelace
Copy link
Author

@gabemontero

Its works. Thanks. So we should give "edit" access to source and destination projects in future ?

@gabemontero
Copy link
Contributor

Thanks for the confirmation @livelace . For now, the answer is "yes" to your question.

We do have some discussions going on in the background wrt our Jenkins scenarios and the various roles/bindings/access for the associated service accounts. I also want to circle back to this and experiment with varying the roles used, see if something less than edit is workable.

I'll keep this issue open until I minimally try those experiments, or if the background discussions I referenced reach a conclusion relatively soon.

@gabemontero gabemontero self-assigned this May 24, 2016
@gabemontero
Copy link
Contributor

@livelace - finally circled back to this, and confirmed that each project's service account needs edit access to the other project. There are updates that occur to the source project's image stream as part of creating the destination tag.

@livelace
Copy link
Author

livelace commented Jun 8, 2016

@gabemontero Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gabemontero gabemontero

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@livelace @gabemontero