Installation via OpenShift OperatorHub fails

[bliemli]

Describe the bug Installing the trident Operator via OLM fails because the ClusterRole trident-controller cannot be created. The trident-operator pod reports:

level=error msg="Object creation failed." err="clusterroles.rbac.authorization.k8s.io \"trident-controller\" is forbidden: user \"system:serviceaccount:openshift-operators:trident-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:openshift-operators\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"policy\"], Resources:[\"podsecuritypolicies\"], ResourceNames:[\"trident-controller\"], Verbs:[\"use\"]}" [...]

Accordingly, adding the following part to the ClusterRole trident-operator.v24.10.-3aACFHgukMrdtgkGJUPFa6rYeIOCOE2KMVXAfb makes the installation work:

- apiGroups:
  - policy
  resources:
  - podsecuritypolicies
  verbs:
  - use
  resourceNames:
  - trident-controller

However, the bug probably is that the Operator tries to create a ClusterRole containing a deprecated resource type, PodSecurityPolicy, in the first place.

Also, even though I installed the Operator in version 24.10, it creates resources in version 24.06.

Environment Provide accurate information about the environment to help us reproduce the issue.

• Trident version: 24.10
• Trident installation flags used: None, installing via OpenShift OperatorHub
• Container runtime: crio
• Kubernetes version: v1.29.8
• Kubernetes orchestrator: OpenShift 4.16.17
• Kubernetes enabled feature gates: please see OpenShift documentation
• OS: CoreOS
• NetApp backend types: not relevant

To Reproduce Steps to reproduce the behavior:

• Install "Astra Trident" Operator via OperatorHub in version v24.10.0 and channel stable on OpenShift 4
• Create a TridentOrchestrator resource with, e.g., the following content:

apiVersion: trident.netapp.io/v1
kind: TridentOrchestrator
metadata:
  name: trident
spec:
  namespace: trident

Expected behavior The Trident Operator successfully installs Trident in the desired namespace.

[nullsumme]

I’m experiencing the same issue. The workaround is effective, but I’m still hoping for a permanent solution.

[antwynne]

Another customer reports the same issue where Trident 24.10 Installation via OpenShift Operator Hub fails because the ClusterRole trident-controller cannot be created The trident-operator pod reports: level=error msg="Object creation failed." err="clusterroles.rbac.authorization.k8s.io \"trident-controller\" is forbidden: user \"system:serviceaccount:openshift-operators:trident-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:openshift-operators\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"policy\"], Resources:[\"podsecuritypolicies\"], ResourceNames:[\"trident-controller\"], Verbs:[\"use\"]}" [...]

• Trident version: trident-operator.v24.10.0 • Kubernetes/OpenShift version: OpenShift 4.16.21

This method is not mentioned in the trident installation options - https://docs.netapp.com/us-en/trident/trident-get-started/kubernetes-deploy-operator.html#critical-information-about-trident-24-10 but customer looking for a permanent solution

[mariusbertram]

The community operator catalog links in the clusterservice version to trident-operator:24.06.0 https://github.com/redhat-openshift-ecosystem/community-operators-prod/blob/b139ec686db33218339b0b3c6920ea9ebf54afb3/operators/trident-operator/24.10.0/manifests/trident-operator.v24.10.0.clusterserviceversion.yaml#L79C24-L79C65

[mariusbertram]

After you installed the operator via operatorhub you need to patch the clusterserviceversion oc edit csv trident-operator.v24.10.0 and patch .spec.install.spec.deployments[0].template.spec.containers[0].image to docker.io/netapp/trident-operator:24.10.0