Closed ibuziuk closed 1 year ago
We'll use this issue for re-investigating our security context setup for OCP 4.12 support.
@ibuziuk Thank you for addressing this!
After further investigating we have found a few items to address:
README
instructions and/or our documentation@ibuziuk In this thread, could you provide the linked issue(s) which are being blocked by this issue.
Storage enabled volume now defaults to false fixing the security context issues: https://github.com/devfile/registry-operator/pull/40
Additional PRs coming in the next sprint for updating the documentation and providing webhook validation.
just for the record, the issue happen in any namespace, not just default e.g.
could you provide the linked issue(s) which are being blocked by this issue.
well, I put the blocker label since it was not possible to use the operator for deploying registries via CR on 4.11 and 4.12
@ibuziuk
just for the record, the issue happen in any namespace, not just default e.g.
could you provide the linked issue(s) which are being blocked by this issue.
Thanks for catching and addressing this. We also caught this too during our deployment testing and disabling the storage enabled volume https://github.com/devfile/api/issues/1092#issuecomment-1495075473 seems to have fixed this during additional tests with OCP 4.12 environments.
well, I put the blocker label since it was not possible to use the operator for deploying registries via CR on 4.11 and 4.12
This is understandable that any issue needing to use the registry operator will be blocked by this issue. With the blocker label, it is good to have what issue(s) are being blocked which triggered the creation of the issue in addition to any additional issues that others can report on in the thread, helps us keep track of what is going on.
Side note: Officially, we are only supporting OCP 4.12 at this point. This will added to our requirements in documentation as one of the TODOs for this issue.
thanks, I added some details in the spike we had on the Eclipse Che end - https://github.com/eclipse/che/issues/22075#issuecomment-1496281368
In addition to the work completed last sprint, https://github.com/devfile/api/issues/1092#issuecomment-1495075473, two more tasks remain for this sprint:
Work in progress has webhook validation which prints the following error message when trying to deploy a devfile registry to a default namespace:
Error from server (devfile registry deployment namespace should never be 'default'.): error when creating "registry.yaml": admission webhook "vdevfileregistry.kb.io" denied the request: devfile registry deployment namespace should never be 'default'.
Work in progress has webhook validation which prints the following error message when trying to deploy a devfile registry to a default namespace:
Error from server (devfile registry deployment namespace should never be 'default'.): error when creating "registry.yaml": admission webhook "vdevfileregistry.kb.io" denied the request: devfile registry deployment namespace should never be 'default'.
@michael-valdron that looks good but can we avoid the duplicate error message devfile registry deployment namespace should never be 'default'
(caused by error wrapping I think)
Should we say something along the lines of 'default' namespace is forbidden for devfile registry deployment. Retry the deployment with a non-default namespace
That way, users are guided on the corrective action to take.
Updating to webhook validation test cases to take these changes into account.
Webhook changes to validate the namespace is not default is now ready for review: https://github.com/devfile/registry-operator/pull/41
Additional PR is being worked on for documentation changes.
part of epic https://github.com/devfile/api/issues/1007
Deployment requirements outline in README.md
is now ready for review: devfile/registry-operator#42
Latest changes to the registry operator seems to have fixed the errors shown in this issue while using OCP 4.12 and Kubernetes 1.23.
@ibuziuk Can you confirm if this is fixed on your end?
Additional time is needed for the review on this, target date has been updated. Confirmation of PR fixes and PR revisions to provide correct Kubernetes version requirements are still needed to close this issue.
tested on 4.12 nightly and it seems to work :+1:
Now using issue #662 to track documentation additions related to the requirements these changes support.
Since it is confirmed that the changes completed in https://github.com/devfile/registry-operator/pull/40 and https://github.com/devfile/registry-operator/pull/41 have resolved this issue I will be closing it now.
Which area this feature is related to?
/kind bug
Which area this bug is related to?
What versions of software are you using?
latest from main
Go project
Operating System and version:
OpenShift 4.12
Go Pkg Version:
Node.js project
Operating System and version:
Node.js version:
Yarn version:
Project.json:
Web browser
Operating System and version:
Browser name and version:
Bug Summary
Describe the bug:
To Reproduce:
Install registry operator on 4.12 create
devfile-registry
namespace and create CR in it based onquay.io/devfile/devfile-index:next
ERROR: pod can not be started:
Expected behavior
Any logs, error output, screenshots etc? Provide the devfile that sees this bug, if applicable
Additional context
Any workaround?
N / A
Suggestion on how to fix the bug
related docs - https://devfile.io/docs/2.2.0/deploying-a-devfile-registry#deploying-a-devfile-registry-with-operator-lifecycle-manager
Target Date: 05-02-2023