search

ansibleplaybookbundle / ansible-playbook-bundle

THIS REPO IS MIGRATING: https://github.com/automationbroker/apb
GNU General Public License v2.0
140 stars 70 forks source link

Can not create RoleBinding object - "not found" error #120

Closed slaskawi closed 7 years ago

slaskawi commented 7 years ago

I'm trying to create a Role Binding object linked to my Service Account. Here's an example from my template.

When I try to create the following objects:

- name: Create Service Account
  k8s_v1_service_account:
    name: '{{ application_name }}'
    namespace: '{{ namespace }}'

- name: Create Role Binding
  openshift_v1_role_binding:
    namespace: '{{ namespace }}'
    name: '{{ application_name }}'
    user_names:
      - system:serviceaccount:{{ namespace }}:{{ application_name }}
    role_ref_name: "view"
    subjects:
    - kind: ServiceAccount
      name: '{{ application_name }}'
      namespace: '{{ namespace }}'

I get the following error:

$ oc run apb-test --image=jboss-dataservices/datagrid-online-services-dev --restart=Never --attach=true -- provision -vvvvv -e namespace=myproject
If you don't see a command prompt, try pressing enter.
+ [[ provision -vvvvv -e namespace=myproject == *\s\2\i\/\a\s\s\e\m\b\l\e* ]]
+ ACTION=provision
+ shift
+ playbooks=/opt/apb/actions
+ CREDS=/var/tmp/bind-creds
+ TEST_RESULT=/var/tmp/test-result
+ whoami
+ '[' -w /etc/passwd ']'
++ id -u
+ echo 'apb:x:1000060000:0:apb user:/opt/apb:/sbin/nologin'
+ oc-login.sh
Attempting to login with a service account...
Logged into "https://kubernetes.default:443" as "system:serviceaccount:myproject:default" using the token provided.
You have one project on this server: "myproject"
Using project "myproject".
Welcome! See 'oc help' to get started.
+ set +x
ls: cannot access /etc/apb-secrets: No such file or directory
+ [[ -e /opt/apb/actions/provision.yaml ]]
+ [[ -e /opt/apb/actions/provision.yml ]]
+ ANSIBLE_ROLES_PATH=/etc/ansible/roles:/opt/ansible/roles
+ ansible-playbook /opt/apb/actions/provision.yml -vvvvv -e namespace=myproject
Using /etc/ansible/ansible.cfg as config file
 [WARNING]: provided hosts list is empty, only localhost is available
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc
PLAYBOOK: provision.yml ********************************************************
1 plays in /opt/apb/actions/provision.yml
PLAY [datagrid-online-services-apb playbook to provision the application] ******
META: ran handlers
TASK [ansible.kubernetes-modules : Install latest openshift client] ************
task path: /etc/ansible/roles/ansible.kubernetes-modules/tasks/main.yml:4
skipping: [localhost] => {
    "changed": false, 
    "skip_reason": "Conditional result was False", 
    "skipped": true
}
TASK [ansibleplaybookbundle.asb-modules : debug] *******************************
task path: /etc/ansible/roles/ansibleplaybookbundle.asb-modules/tasks/main.yml:2
ok: [localhost] => {
    "msg": "Ansible Service Broker modules loaded"
}
TASK [provision-datagrid-online-services-apb : Create Role Binding] ************
task path: /opt/ansible/roles/provision-datagrid-online-services-apb/tasks/main.yml:10
Using module file /etc/ansible/roles/ansible.kubernetes-modules/library/openshift_v1_role_binding.py
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: apb
<127.0.0.1> EXEC /bin/sh -c 'echo ~ && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /opt/apb/.ansible/tmp/ansible-tmp-1506330119.75-68815943302 `" && echo ansible-tmp-1506330119.75-68815943302="` echo /opt/apb/.ansible/tmp/ansible-tmp-1506330119.75-68815943302 `" ) && sleep 0'
<127.0.0.1> PUT /tmp/tmpOzsbzI TO /opt/apb/.ansible/tmp/ansible-tmp-1506330119.75-68815943302/openshift_v1_role_binding.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /opt/apb/.ansible/tmp/ansible-tmp-1506330119.75-68815943302/ /opt/apb/.ansible/tmp/ansible-tmp-1506330119.75-68815943302/openshift_v1_role_binding.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python2 /opt/apb/.ansible/tmp/ansible-tmp-1506330119.75-68815943302/openshift_v1_role_binding.py; rm -rf "/opt/apb/.ansible/tmp/ansible-tmp-1506330119.75-68815943302/" > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
    "changed": false, 
    "error": 404, 
    "failed": true, 
    "invocation": {
        "module_args": {
            "annotations": null, 
            "api_key": null, 
            "cert_file": null, 
            "context": null, 
            "debug": false, 
            "force": false, 
            "group_names": null, 
            "host": null, 
            "key_file": null, 
            "kubeconfig": null, 
            "labels": null, 
            "name": "caching-service", 
            "namespace": "myproject", 
            "password": null, 
            "resource_definition": null, 
            "role_ref_api_version": null, 
            "role_ref_field_path": null, 
            "role_ref_kind": null, 
            "role_ref_name": "caching-service", 
            "role_ref_namespace": "myproject", 
            "role_ref_resource_version": null, 
            "role_ref_uid": null, 
            "src": null, 
            "ssl_ca_cert": null, 
            "state": "present", 
            "subjects": [
                {
                    "kind": "ServiceAccount", 
                    "name": "caching-service", 
                    "namespace": "myproject"
                }
            ], 
            "user_names": [
                "system:serviceaccount:myproject:caching-service"
            ], 
            "username": null, 
            "verify_ssl": null
        }
    }, 
    "msg": "Failed to create object: role.authorization.openshift.io \"caching-service\" not found"
}
    to retry, use: --limit @/opt/apb/actions/provision.retry

This might be connected to https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/issues/119 but I'm not sure.

rthallisey commented 7 years ago

The role_binding is looking for a role named "role_ref_name": "caching-service",, but doesn't find it. The role_binding name from #119 is name: infinispan-app-view. Try changing that to name: caching-service and see if it works. Reopen the issue if the problem persists and we'll try and figure it out.

slaskawi commented 7 years ago

@rthallisey I'm not sure if I understand...

In the example above, I'm using role_ref_name: "view". Why the system figured out that I'm trying use "role_ref_name": "caching-service"?

So just to give you an idea what I'm trying to achieve. The working object from OpenShift looks like this:

apiVersion: v1
groupNames: null
kind: RoleBinding
metadata:
  creationTimestamp: 2017-09-25T12:54:02Z
  labels:
    template: jdg-caching-service
  # Name... Think about "infinispan-app" as an {{ application_name }} from the example in the description.
  name: infinispan-app-view
  namespace: myproject
  resourceVersion: "1900"
  selfLink: /oapi/v1/namespaces/myproject/rolebindings/infinispan-app-view
  uid: 9b1a46ef-a1f0-11e7-96c4-54ee751d46e3
# Role Binding REF - it points to view
roleRef:
  name: view
subjects:
- kind: ServiceAccount
  name: infinispan-app
  namespace: myproject
userNames:
- system:serviceaccount:myproject:infinispan-app
rthallisey commented 7 years ago

This looks like another module bug "role_ref_name": "caching-service",. The template set roleRef: view and the resource wasn't created with that name. @fabianvf can you also look that this bug in the module

slaskawi commented 7 years ago

@rthallisey @fabianvf Hey guys, can we either reopen this issue (and https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/issues/119) or create another one somewhere else? This is actually a big deal for me since it blocks clustering functionality in Infinispan so I would like to make sure it won't slip between our fingers.

fabianvf commented 7 years ago

@slaskawi copied to openshift/openshift-restclient-python#92