Need create ClusterRole for SBO v0.10.0

[xkwangcn]

/kind bug

What versions of software are you using?

Operating System:

Output of odo version:

OCP: 4.8
SBO: 0.10.0
odo: main branch
postgresql: 0.1.1

How did you run odo exactly?

Actual behavior

after run odo link Database/sampledatabase, odo push --show-log failed

Expected behavior

About https://github.com/redhat-developer/service-binding-operator/releases/tag/v0.10.0, here mention "In order to enable the operator to perform binding to custom service resource, an additional cluster role must be added to the cluster."
When doing https://odo.dev/docs/tutorials/deploying-java-app-with-database, we also need create CluserRole to ensure this doc can successfully:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: database-view
  labels:
    service.binding/controller: "true"
rules:
  - apiGroups:
      - postgresql.dev4devs.com
    resources:
      - databases
    verbs:
      - get
      - list

I expected: 1. if need add doc for https://odo.dev/docs/tutorials/deploying-java-app-with-databas. 2. if need add create ClusterRole yaml in scripts setup-operators.sh. 3. other better way or need changes about ClusterRole

Any logs, error output, etc?

[odo@2d528607b4aa jpa]$ odo link Database/sampledatabase
 ✓  Successfully created link between component "mysboproj" and service "Database/sampledatabase"

To apply the link, please use `odo push`
[odo@2d528607b4aa jpa]$ odo push --show-log

Validation
 ✓  Validating the devfile [135541ns]

Creating Services for component mysboproj
 ✓  Services are in sync with the cluster, no changes are required

Creating Kubernetes resources for component mysboproj
 ✓  Waiting for component to start [2ms]
 ✓  Created link "mysboproj-database-sampledatabase" using Service Binding Operator on the cluster; component will be restarted
 ✗  Restarting the component [1m]
 ✗  Failed to start component with name "mysboproj". Error: Failed to create the component: timeout while waiting for "mysboproj-app-6b96cc77df-fb9fs" pod to be deleted
[odo@2d528607b4aa jpa]$ oc get csv
NAME                               DISPLAY                                VERSION   REPLACES                          PHASE
postgresql-operator.v0.1.1         PostgreSQL Operator by Dev4Ddevs.com   0.1.1                                       Succeeded
redis-operator.v0.8.0              Redis Operator                         0.8.0     redis-operator.v0.6.0             Succeeded
service-binding-operator.v0.10.0   Service Binding Operator               0.10.0    service-binding-operator.v0.9.1   Succeeded
[wgxinke@lnxocp03 ~]$ oc logs pod/service-binding-operator-796f7c479f-m264w -n openshift-operators
{"level":"error","ts":1632728900.7049973,"logger":"controller","msg":"Reconciler error","reconcilerGroup":"binding.operators.coreos.com","reconcilerKind":"ServiceBinding","controller":"servicebinding","name":"mysboproj-database-sampledatabase","namespace":"test","error":"databases.postgresql.dev4devs.com \"sampledatabase\" is forbidden: User \"system:serviceaccount:openshift-operators:service-binding-operator\" cannot get resource \"databases\" in API group \"postgresql.dev4devs.com\" in the namespace \"test\"","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/tmp/github.com/redhat-developer/service-binding-operator/vendor/github.com/go-logr/zapr/zapr.go:132\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/tmp/github.com/redhat-developer/service-binding-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:246\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/tmp/github.com/redhat-developer/service-binding-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:218\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/tmp/github.com/redhat-developer/service-binding-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:197\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/tmp/github.com/redhat-developer/service-binding-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/tmp/github.com/redhat-developer/service-binding-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/tmp/github.com/redhat-developer/service-binding-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/tmp/github.com/redhat-developer/service-binding-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90"}

[xkwangcn]

For using SBO to link redis also have this issue, also need create ClusterRole for redis-operatot

[dharmit]

Hi @xkwangcn, the way we're trying to address this is by using Service Binding library as default instead of relying on the Service Binding Operator. This will ensure that breaking changes in the Service Binding Operator don't break odo link. Refer #5084 for more info.

[xkwangcn]

Hi, @dharmit Thanks for your reply, " using Service Binding library as default" what this mean? could you give me some guide for this? maybe I can try it. Thank you.

[dharmit]

odo has added dependency to the service binding library so that if a user doesn't have service binding operator installed on their cluster, odo link still works just fine using the library. The example in this case would be to try and do linking without installing SBO on your cluster.

[xkwangcn]

OK. So I can use odo link directly without install SBO on my cluster. Thank you.

[xkwangcn]

@dharmit
But in setup-operator.sh script, here still install SBO, and then maybe the operator-hub ci cases can't be PASS. Is there some change for this?
Another question is what the SBO version now for service binding library in odo?

[valaparthvi]

Another question is what the SBO version now for service binding library in odo?

0.9.0

But in setup-operator.sh script, here still install SBO, and then maybe the operator-hub ci cases can't be PASS. Is there some change for this?

Good question and observation! I'll take a look into that and fix that.

[xkwangcn]

Thanks for your reply. @valaparthvi

Another question is about https://odo.dev/docs/tutorials/deploying-java-app-with-database, mainly for ClusterRole part, maybe need similar change like: https://openliberty.io/blog/2021/09/17/binding-app-to-postgresql-db-with-odo-and-ol-stack.html.
Do you think so? @dharmit @valaparthvi

[xkwangcn]

@valaparthvi @dharmit hello, from user side, what the difference between using service binding binary and SBO? and do you know the advantages for SBO and service binding binary when do odo linking ? I didn't find any doc about service binding binary both in odo and SBO, but I want to know the benefit for using SBO or service binding binary... could you help to give me some info or link about this question? Thank you very much.

[xkwangcn]

I got from you when user don't have permission to link SBO due to the SBO0.10.0's new feature, but

1. don't know where and how odo inlcuding service binding binary...
2. don't know the difference in their functions.
3. if 2 is yes, want know the influence according to the difference for user...
4. want know which is better and the advantage for them, but I didn't find some document about this
   maybe for the above questions, talk with SBO team is better? only want to know complete info both in odo and SBO, I will learn from SBO in slack too. Thank you.

[dharmit]

But in setup-operator.sh script, here still install SBO,

We haven't modified setup-operators.sh script because we want to be able to switch from Service Binding library to Service Binding Operator without much hassle. Below code makes sure that we use library instead of Operator:

odo/pkg/kclient/operators.go

Lines 30 to 35 in 5f79c54

	// IsServiceBindingSupported checks if resource of type service binding request present on the cluster
	func (c *Client) IsServiceBindingSupported() (bool, error) {
	// Detection of SBO has been removed from issue https://github.com/redhat-developer/odo/issues/5084
	return false, nil
	// return c.IsResourceSupported("binding.operators.coreos.com", "v1alpha1", "servicebindings")
	}

and then maybe the operator-hub ci cases can't be PASS. Is there some change for this?

I don't understand what you are asking here.

what the difference between using service binding binary and SBO? and do you know the advantages for SBO and service binding binary when do odo linking ?

Using SBO vs. library gives you the benefit that SBO can modify your underlying link (ServiceBinding resource) and/or the Kubernetes Deployment of your odo component. I haven't come across a doc for this either. I have only heard @kadel say this on a few calls. But, tbh, I don't understand this clearly either. @kadel can you help on this?

don't know where and how odo inlcuding service binding binary...

It's the library, not the binary. The way odo uses it is by putting it in go.mod:

odo/go.mod

Line 41 in 5f79c54

github.com/redhat-developer/service-binding-operator v0.9.0

want know which is better and the advantage for them, but I didn't find some document about this

In my understanding, using Operator is better than using the library. But in odo we are using the library to ensure stability of odo link feature. It's a temporary change and we will be moving back to using SBO as 1.0 is GA now and has more features! #5221

maybe for the above questions, talk with SBO team is better? only want to know complete info both in odo and SBO, I will learn from SBO in slack too. Thank you.

Yeah, maybe the advantages/disadvantages of using Operator vs. library can be best explained by them. For odo, temporarily moving to using library helped ensure that odo link didn't break often, as the SBO team was making releases with breaking changes (which was OK because they were in the alpha stage.)

[kadel]

there is no odo link anymore in odo v3