Cannot install prometheus apb on openshift v3.9.0

[cunningt]

Installed ansible service broker on openshift v3.9.0 (used ansible-service-broker release-1.1 branch)

ORIGIN_VERSION=v3.9.0 ./run_latest_build.sh

oc create -n ansible-service-broker -f https://raw.githubusercontent.com/ansibleplaybookbundle/ansible-playbook-bundle/apb-1.1.6-1/templates/openshift-permissions.template.yaml

oc export cm/broker-config -n ansible-service-broker | sed 's/sandbox_role: .*/sandbox_role: \"admin\"/' | oc replace -f - cm/broker-config -n ansible-service-broker

Prometheus-apb shows up in the catalog. I then tried installing the prometheus-apb through the UI and I get this error --

oc log apb-bac0a3e9-4f78-4dca-b6c3-554fd8aed7ed W0510 11:39:51.150100 87366 cmd.go:358] log is DEPRECATED and will be removed in a future version. Use logs instead.

• [[ provision --extra-vars {"PROMETHEUS_SECURED_DEPLOYMENT":false,"SMTP_AUTH_PASS":"password","SMTP_AUTH_USER":"alertmanager","SMTP_FROM":"alertmanager@example.org","SMTP_HOST":"localhost","SMTP_PORT":25,"_apb_plan_id":"ephemeral","_apb_service_class_id":"f755257efed3e3d43c8b82afd0db1181","_apb_service_instance_id":"f8471baf-dab0-4c74-bb16-6df46f2d71e1","cluster":"openshift","namespace":"foobar"} == \s\2\i\/\a\s\s\e\m\b\l\e ]]
• ACTION=provision
• shift
• playbooks=/opt/apb/actions
• CREDS=/var/tmp/bind-creds
• TEST_RESULT=/var/tmp/test-result
• whoami
• '[' -w /etc/passwd ']' ++ id -u
• echo 'apb:x:1000130000:0:apb user:/opt/apb:/sbin/nologin'
• set +x
• [[ -e /opt/apb/actions/provision.yaml ]]
• [[ -e /opt/apb/actions/provision.yml ]]
• ANSIBLE_ROLES_PATH=/etc/ansible/roles:/opt/ansible/roles
• ansible-playbook /opt/apb/actions/provision.yml --extra-vars '{"PROMETHEUS_SECURED_DEPLOYMENT":false,"SMTP_AUTH_PASS":"password","SMTP_AUTH_USER":"alertmanager","SMTP_FROM":"alertmanager@example.org","SMTP_HOST":"localhost","SMTP_PORT":25,"_apb_plan_id":"ephemeral","_apb_service_class_id":"f755257efed3e3d43c8b82afd0db1181","_apb_service_instance_id":"f8471baf-dab0-4c74-bb16-6df46f2d71e1","cluster":"openshift","namespace":"foobar"}' [WARNING]: Could not match supplied host pattern, ignoring: all [WARNING]: provided hosts list is empty, only localhost is available [WARNING]: Found variable using reserved name: action

PLAY [[PROMETHEUS APB][TEST] Provision application Prometheus APB] *****

TASK [ansible.kubernetes-modules : Install latest openshift client] **** skipping: [localhost]

TASK [ansibleplaybookbundle.asb-modules : debug] *** skipping: [localhost]

TASK [prometheus-apb : [PROMETHEUS APB][MAIN] Deploying Prometheus] **** included: /opt/ansible/roles/prometheus-apb/tasks/prometheus.yml for localhost

TASK [prometheus-apb : [PROMETHEUS APB][PROMETHEUS] Set to present the Prometheus ServiceAccount] *** changed: [localhost]

TASK [prometheus-apb : [PROMETHEUS APB][PROMETHEUS] Recover secret name] *** ok: [localhost] => (item={u'kind': None, u'name': u'prometheus-token-tfrmc', u'namespace': None, u'resource_version': None, u'field_path': None, u'api_version': None, u'uid': None}) skipping: [localhost] => (item={u'kind': None, u'name': u'prometheus-dockercfg-64tvz', u'namespace': None, u'resource_version': None, u'field_path': None, u'api_version': None, u'uid': None})

TASK [prometheus-apb : [PROMETHEUS APB][PROMETHEUS] Recovering Service Account token] *** ok: [localhost]

TASK [prometheus-apb : [PROMETHEUS APB][PROMETHEUS] Creating a fact with the secret token of Service Account] *** ok: [localhost]

TASK [prometheus-apb : [PROMETHEUS APB][PROMETHEUS] Set to present RoleBinding for Service Account] *** fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to retrieve requested object: rolebindings.rbac.authorization.k8s.io \"prometheus-view\" is forbidden: User \"system:serviceaccount:dh-prometheus-apb-prov-qr75t:apb-bac0a3e9-4f78-4dca-b6c3-554fd8aed7ed\" cannot get rolebindings.rbac.authorization.k8s.io in the namespace \"foobar\": User \"system:serviceaccount:dh-prometheus-apb-prov-qr75t:apb-bac0a3e9-4f78-4dca-b6c3-554fd8aed7ed\" cannot get rolebindings.rbac.authorization.k8s.io in project \"foobar\""} to retry, use: --limit @/opt/apb/actions/provision.retry

PLAY RECAP ***** localhost : ok=5 changed=1 unreachable=0 failed=1

• EXIT_CODE=2
• set +ex
• '[' -f /var/tmp/test-result ']'
• exit 2 tcunning@ovpn-121-90:/tmp/ansible-service-

[cunningt]

Got this working, I think it was a permissions issue.

[horakg]

getting the same error during deployment. What was the solution to get a working deployment?

[cunningt]

@horakg I think the error here was caused by sandbox_role being edit.

oc export cm/broker-config -n automation-broker | sed 's/sandbox_role: .*/sandbox_role: \"admin\"/' | oc replace -f - cm/broker-config -n automationbroker

oc rollout latest dc/automation-broker -n automation-broker

I also saw a similar error when trying to use the cdk with 3.10 - I had to switch from enabling automation-service-broker to installing it as djzager described in https://github.com/openshift/ansible-service-broker/issues/1056#issuecomment-416055163.

This is the series of steps that works for me for installing prometheus through APB --

oc login -u system:admin curl https://raw.githubusercontent.com/openshift/ansible-service-broker/release-1.2/apb/install.yaml | oc create -f - oc get projects -w until ansible-broker shows up

oc export cm/broker-config -n automation-broker  | sed 's/sandbox_role: .*/sandbox_role: \"admin\"/' | oc replace -f - cm/broker-config -n automation-broker

[horakg]

@cunningt - thanks it worked now