search

isovalent / olm-for-cilium

OpenShift Operator Lifecycle Manager for Cilium
Other
6 stars 5 forks source link

BGP Control Plane - OLM is attempting to grant RBAC permissions not currently held #91

Open camrossi opened 8 months ago

camrossi commented 8 months ago

Hello,

I am trying to install Cilium on OpenShift 4.15 with BGP Control plan enabled in the OLM Manifest:

  bgpControlPlane:
    enabled: true

This result in the Operator to fail with this error message:

2024-03-20T03:33:39Z    ERROR   helm.controller Release failed  {
  "namespace": "cilium",
  "name": "cilium",
  "apiVersion": "cilium.io/v1alpha1",
  "kind": "CiliumConfig",
  "release": "cilium",
  "error": "failed to install release: 2 errors occurred:\n\t* roles.rbac.authorization.k8s.io \"cilium-bgp-control-plane-secrets\" is forbidden: user \"system:serviceaccount:cilium:cilium-olm\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:cilium\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"\"], Resources:[\"secrets\"], Verbs:[\"get\" \"list\" \"watch\"]}\n\t* roles.rbac.authorization.k8s.io \"cilium-bgp-control-plane-secrets\" not found\n\n",
}

This seems a similar issue as reported in #89 as a work around I have edited cluster-network-06-cilium-00009-cilium-cilium-clusterrole.yaml and added:

  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - list
      - watch

This seems to have fixed the issue

saintdle commented 5 months ago

Using this should stop the error message

    bgpControlPlane:
      enabled: true
      secretsNamespace:
        name: cilium
        create: false