search

ansible / awx-resource-operator

41 stars 31 forks source link

SA resource-operator-controller-manager-job cannot list resource ansiblejobs #131

Open iamroddo opened 11 months ago

iamroddo commented 11 months ago

I have installed the AWX Resource Operator in a Minikube cluster in the same namespace as AWX using the command "IMG=awx-resource:dev make docker-build && NAMESPACE=awx make deploy IMG=awx-resource:dev" to build the operator image locally and use it in Minikube. I am able to deploy a JobTemplate to AWX running in the same namespace but when I try to deploy a Project with the manifest below I see an error in the pod logs that is kicked off to deploy this project.

AnsibleProject manifest

---
apiVersion: tower.ansible.com/v1alpha1
kind: AnsibleProject
metadata:
  name: test-project
spec:
  repo: <URL>
  tower_auth_secret: awx-local
  connection_secret: awx-local
  scm_type: Git
  organization: Default
  name: Test project via resource operator

Pod logs

[WARNING]: Unable to parse /runner/inventory as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'

PLAY [localhost] ***************************************************************

TASK [job_runner : Read AnsibleJob Specs] **************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was:     raise ApiException(http_resp=r)
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/dynamic/client.py\", line 55, in inner\n    resp = func(self, *args, **kwargs)\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/dynamic/client.py\", line 270, in request\n    api_response = self.client.call_api(\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py\", line 348, in call_api\n    return self.__call_api(resource_path, method,\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py\", line 180, in __call_api\n    response_data = self.request(\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py\", line 373, in request\n    return self.rest_client.GET(url,\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py\", line 240, in GET\n    return self.request(\"GET\", url,\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py\", line 234, in request\n    raise ApiException(http_resp=r)\nkubernetes.client.exceptions.ApiException: (403)\nReason: Forbidden\nHTTP response headers: HTTPHeaderDict({'Audit-Id': 'e5b04f58-8fd4-4a2d-bf70-ddd8b214065b', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '2855c0c0-1dea-47fc-80fb-009b97a84615', 'X-Kubernetes-Pf-Prioritylevel-Uid': 'de09d317-c587-427c-8753-22a05d788475', 'Date': 'Fri, 21 Jul 2023 11:17:10 GMT', 'Content-Length': '387'})\nHTTP response body: b'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"ansiblejobs.tower.ansible.com is forbidden: User \\\\\"system:serviceaccount:awx:resource-operator-controller-manager-job\\\\\" cannot list resource \\\\\"ansiblejobs\\\\\" in API group \\\\\"tower.ansible.com\\\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"tower.ansible.com\",\"kind\":\"ansiblejobs\"},\"code\":403}\\n'\n\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1689938228.168541-58-277705374183620/AnsiballZ_k8s_info.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1689938228.168541-58-277705374183620/AnsiballZ_k8s_info.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp-1689938228.168541-58-277705374183620/AnsiballZ_k8s_info.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.kubernetes.core.plugins.modules.k8s_info', init_globals=dict(_module_fqn='ansible_collections.kubernetes.core.plugins.modules.k8s_info', _modlib_path=modlib_path),\n  File \"/usr/lib64/python3.8/runpy.py\", line 207, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.8/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib64/python3.8/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_k8s_info_payload_7g4ywld1/ansible_k8s_info_payload.zip/ansible_collections/kubernetes/core/plugins/modules/k8s_info.py\", line 206, in <module>\n  File \"/tmp/ansible_k8s_info_payload_7g4ywld1/ansible_k8s_info_payload.zip/ansible_collections/kubernetes/core/plugins/modules/k8s_info.py\", line 202, in main\n  File \"/tmp/ansible_k8s_info_payload_7g4ywld1/ansible_k8s_info_payload.zip/ansible_collections/kubernetes/core/plugins/modules/k8s_info.py\", line 173, in execute_module\n  File \"/tmp/ansible_k8s_info_payload_7g4ywld1/ansible_k8s_info_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/common.py\", line 324, in kubernetes_facts\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/dynamic/client.py\", line 112, in get\n    return self.request('get', path, **kwargs)\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/dynamic/client.py\", line 57, in inner\n    raise api_exception(e)\nkubernetes.dynamic.exceptions.ForbiddenError: 403\nReason: Forbidden\nHTTP response headers: HTTPHeaderDict({'Audit-Id': 'e5b04f58-8fd4-4a2d-bf70-ddd8b214065b', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '2855c0c0-1dea-47fc-80fb-009b97a84615', 'X-Kubernetes-Pf-Prioritylevel-Uid': 'de09d317-c587-427c-8753-22a05d788475', 'Date': 'Fri, 21 Jul 2023 11:17:10 GMT', 'Content-Length': '387'})\nHTTP response body: b'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"ansiblejobs.tower.ansible.com is forbidden: User \\\\\"system:serviceaccount:awx:resource-operator-controller-manager-job\\\\\" cannot list resource \\\\\"ansiblejobs\\\\\" in API group \\\\\"tower.ansible.com\\\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"tower.ansible.com\",\"kind\":\"ansiblejobs\"},\"code\":403}\\n'\nOriginal traceback: \n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/dynamic/client.py\", line 55, in inner\n    resp = func(self, *args, **kwargs)\n\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/dynamic/client.py\", line 270, in request\n    api_response = self.client.call_api(\n\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py\", line 348, in call_api\n    return self.__call_api(resource_path, method,\n\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py\", line 180, in __call_api\n    response_data = self.request(\n\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py\", line 373, in request\n    return self.rest_client.GET(url,\n\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py\", line 240, in GET\n    return self.request(\"GET\", url,\n\n  File \"/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py\", line 234, in request\n    raise ApiException(http_resp=r)\n\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP *********************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0