ansibleplaybookbundle / eclipse-che-apb

7 stars 4 forks source link

Che APB installation fails on minishift with default configuration #19

Open ibuziuk opened 6 years ago

ibuziuk commented 6 years ago

Steps to reproduce:

image

image

image

infoThe service is not yet ready. Error provisioning ServiceInstance of ClusterServiceClass (K8S: "1882ffca5d72b1084e9107e3485f5066" ExternalName: "dh-eclipse-che-apb") at ClusterServiceBroker "ansible-service-broker": Status: 403; ErrorMessage: ; Description: User does not have sufficient permissions; ResponseError:

minishift version - v1.20.0+53c500a

[1] https://github.com/ansibleplaybookbundle/eclipse-che-apb#requirements

l0rd commented 6 years ago

@ibuziuk can you please verify if you are able to deploy any APB?

ibuziuk commented 6 years ago

yeah, sure I will

ibuziuk commented 6 years ago

@l0rd Apache HTTP Server (httpd) seems to work fine: image

l0rd commented 6 years ago

@ibuziuk are you able to retrieve the provisioning logs as described here?

ibuziuk commented 6 years ago

@l0rd after some attempts I was finally able to start che via apb and start a workspace:

image

Not sure though what did the trick. I will do installation setup from scratch again and update docs if needed. Funny thing that apb bootstrap results in 403 error for me, but nevertheless installing che via apb worked even without this step:

Running APB image: docker.io/ansibleplaybookbundle/apb-tools:canary
Targetting minishift host: tcp://192.168.42.121:2376
Contacting the ansible-service-broker at: https://asb-openshift-automation-service-broker.192.168.42.121.nip.io/openshift-automation-service-broker/v2/bootstrap
Error: Attempt to bootstrap Broker returned status: 403
Unable to bootstrap Ansible Service Broker.
ibuziuk commented 6 years ago

@l0rd so far I was able to run the che via apb only after granting cluster-admin role to developer:

oc adm policy add-cluster-role-to-user cluster-admin developer

this does not sound like to be smth. expected, right ?

ibuziuk commented 6 years ago

not related to this issue but also send a PR with typo fix in README - https://github.com/ansibleplaybookbundle/eclipse-che-apb/pull/20

l0rd commented 6 years ago

@ibuziuk granting developer the admin role is needed to run apb CLI tool. But that is needed only for development.

If installing Che using the service catalog UI, the role of you user doesn't matter. It would be useful if you could provide the provisioning logs (if any) as requested in the comment above.

ibuziuk commented 6 years ago

@l0rd I was able to retrieve only ASB logs [1]. provisioning namespace / pod were not created

image

[1] https://pastebin.com/rteAQAD1

ghost commented 6 years ago

@ibuziuk @l0rd but isn't it smth that we ultimately want to achieve? One installation per cluster - an admin does it, or whoever has admin privileges.

I can confirm I have the same with OKD 3.10

l0rd commented 6 years ago

@eivantsov what do you mean? Here the problem is that @ibuziuk is not able to successfully provision Che using Che APB. And he cannot get any log about why the APB is failing to start (except User doesn't have enough permissions and I suspect that the User is the ASB user, not @ibuziuk user).

Regarding the admin privileges:

ghost commented 6 years ago

@l0rd I mean don't we want to have a limited number of users (admins only) to deploy Che?

For me it works now only after I granted OpenShift user with cluster-admin privileges. So I had to:

  1. Add cluster-admin role to OpenShift user
  2. Edit cm to change sandbox role to admin

Not one or the other, but both. So, different issues.

Since the installation will require admin privileges anyway (for stacks and editing configmap - sandbox role to admin), I don't see any issues with requiring a user to be a cluster admin. Maybe not for upstream though.

Currently, I do not see any relevant logs related to User doesn't have permissions.

l0rd commented 6 years ago

@l0rd I mean don't we want to have a limited number of users (admins only) to deploy Che?

I agree. We have been discussing it on the corresponding issue #18

Since the installation will require admin privileges anyway (for stacks and editing configmap - sandbox role to admin)

Upstream doesn't need to build and create imagestreams for stacks right? And I think we should not change sandbox role to admin anymore. We should rather manually create the RoleBinding. It has the benefit of not requiring admin rights and can be done after provisioning. This was discussed here and here. We need to avoid requiring admin privileges, it limits Che adoption. I hope we agree on that.

ghost commented 6 years ago

@l0rd yes, keep provisioning on failure and then manually create sa and rolebinding. Looks ok.

But i am still puzzled with the original problem - why only an admin OpenShift user can provision Che?

l0rd commented 6 years ago

But i am still puzzled with the original problem - why only an admin OpenShift user can provision Che?

I don't know. And I cannot test it myself right now. Maybe ASB log have some hint?

ghost commented 6 years ago

@l0rd I can only see what is obvious. 403 is the response to PUT call:

172.17.0.6 - - [14/Aug/2018:15:44:19 +0000] "PUT /osb/v2/service_instances/e83638d1-9fd8-11e8-b49e-0242ac110009?accepts_incomplete=true HTTP/1.1" 403 65
time="2018-08-14T15:44:19Z" level=info msg="Request: \"PUT /osb/v2/service_instances/e83638d1-9fd8-11e8-b49e-0242ac110009?accepts_incomplete=true HTTP/1.1\\r\\nHost: broker.openshift-automation-service-broker.svc:1338\\r\\nAccept-Encoding: gzip\\r\\nContent-Length: 1039\\r\\nContent-Type: application/json\\r\\nUser-Agent: Go-http-client/1.1\\r\\nX-Broker-Api-Originating-Identity: kubernetes eyJ1c2VybmFtZSI6ImRldmVsb3BlciIsInVpZCI6IiIsImdyb3VwcyI6WyJzeXN0ZW06YXV0aGVudGljYXRlZDpvYXV0aCIsInN5c3RlbTphdXRoZW50aWNhdGVkIl0sImV4dHJhIjp7InNjb3Blcy5hdXRob3JpemF0aW9uLm9wZW5zaGlmdC5pbyI6WyJ1c2VyOmZ1bGwiXX19\\r\\nX-Broker-Api-Version: 2.13\\r\\n\\r\\n{\\\"service_id\\\":\\\"1882ffca5d72b1084e9107e3485f5066\\\",\\\"plan_id\\\":\\\"17835fe3e1d51c1136eecc730e0ef738\\\",\\\"organization_guid\\\":\\\"3d0309fa-9fd8-11e8-bbb1-54e1ad81a005\\\",\\\"space_guid\\\":\\\"3d0309fa-9fd8-11e8-bbb1-54e1ad81a005\\\",\\\"parameters\\\":{\\\"che_data_pvc_quantity\\\":\\\"1Gi\\\",\\\"che_debug_server\\\":false,\\\"che_image_tag\\\":\\\"nightly\\\",\\\"che_infra_kubernetes_pvc_precreate__subpaths\\\":true,\\\"che_infra_kubernetes_pvc_quantity\\\":\\\"1Gi\\\",\\\"che_infra_kubernetes_pvc_strategy\\\":\\\"unique\\\",\\\"che_jdbc_db_host\\\":\\\"postgres\\\",\\\"che_jdbc_db_name\\\":\\\"dbche\\\",\\\"che_jdbc_db_password\\\":\\\"pgchepassword\\\",\\\"che_jdbc_db_port\\\":\\\"5432\\\",\\\"che_jdbc_db_username\\\":\\\"pgche\\\",\\\"che_keycloak_admin_password\\\":\\\"admin\\\",\\\"che_keycloak_admin_username\\\":\\\"admin\\\",\\\"che_keycloak_client__id\\\":\\\"che-public\\\",\\\"che_keycloak_realm\\\":\\\"che\\\",\\\"che_log_level\\\":\\\"INFO\\\",\\\"che_predefined_stacks_reload__on__start\\\":true,\\\"che_server_deployment_stragety\\\":\\\"Recreate\\\",\\\"che_server_image_pull_policy\\\":\\\"IfNotPresent\\\",\\\"che_workspace_auto_start\\\":false},\\\"context\\\":{\\\"clusterid\\\":\\\"2fcdfdaf-9fd8-11e8-8551-0242ac110006\\\",\\\"namespace\\\":\\\"myproject\\\",\\\"platform\\\":\\\"kubernetes\\\"}}\""

I have also found this https://trello.com/c/KO5c6Ixp/345-13-37-approach-to-user-impersonation-service-account-privileges-for-apbs-and-the-broker

ghost commented 6 years ago

And it's not just Che APB that behaves like that but all of them?

I think we miss some important info.

ibuziuk commented 6 years ago

Have created an issue in ansible-service-broker - https://github.com/openshift/ansible-service-broker/issues/1056 @tchughesiv @jcpowermac maybe you have some ideas ?

ghost commented 6 years ago

I talked to @ruromero and he seems to have an identical setup but can provision APB as a normal user.

ibuziuk commented 6 years ago

@eivantsov hmmm.. but for you it is still failing without cluster admin right ?

ghost commented 6 years ago

Yes, still fails for normal users