Closed carrolp closed 3 years ago
@carrolp
It is because ODLM doesn't have cluster permission in the cluster. It leverages the namespacescope operator to project its namespace scope permission into the target namespace. So when you deleting the target namespace, the projected roles and rolebindings are deleted, which causes ODLM to lose the permission in the terminating namespace and it can't remove the finalized from the OperandRequest
@horis233 I think that makes sense why it's having trouble. Thinking aloud... the "projected roles and rolebindings" perhaps should also have finalizers on them so that they aren't deleted till ODLM has finished finalizing the OperandRequest?
/kind bug
What steps did you take and what happened:
ptest
in my test)licensing
service in my test)finalizer.request.ibm.com
finalizer.What did you expect to happen: The Finalizer should be automatically removed from the OperandRequest and the namespace able to be deleted cleanly.
Anything else you would like to add: The log from the
operand-deployment-lifecycle-manager-[id]
pod has many messages like this upon deleting the namespace:To my eyes it is trying to reconcile the OperandRequest because the Secret was deleted during (attempted) namespace deletion. But it cannot recreate the secret because the namespace is being deleted. I assume it needs some logic to check the namespace when reconciling. If the namespace.metadata.deletionTimestamp is not nil, the namespace is being deleted. If the namespace is being deleted then instead of trying to create/update the operands, the reconcile loop should just remove the finalizer from the OperandRequest.
Environment:
operand-deployment-lifecycle-manager.v1.5.0
OCP 4.3.40
kubectl version
):v1.16.2+853223d
/etc/os-release
): n/a