Getting error on removing che addon

[coolbrg]

We are getting following error in removing che addon:

$ minishift addons remove che
-- Removing addon 'che':
[CHE] Removing Che server Template.
[CHE] Removing mini-che project..error: unable to find target [developer]
Error removing the add-on: Error executing command 'oc adm policy remove-role-from-user system:image-builder developer -n openshift'.

Not sure what happened in recent time, but it was working fine before.

Also, it would be great if we have che integration test https://github.com/minishift/minishift-addons/issues/104. Then we can easily catch these sort of issue in nightly job https://ci.centos.org/job/minishift-addons-nightly-b2d

See https://issues.jboss.org/browse/CDK-287

/cc @garagatyi, @l0rd @sunix

[LalatenduMohanty]

@budhrg How much time given between the apply command and remove command. Not sure if you had enabled it.

[coolbrg]

How much time given between the apply command and remove command. Not sure if you had enabled it.

10mins and tried with a little time gap in apply and remove.

[coolbrg]

Any update here @garagatyi, @l0rd @sunix ?

[agajdosi]

@budhrg, @LalatenduMohanty I have looked on this and found the oc command has problem listing roles:

[agajdosi@dhcp-24-156 minishift]$ oc adm policy remove-role-from-user system:image-builder developer -n openshift
Error from server (Forbidden): rolebindings.authorization.openshift.io is forbidden: User "developer" cannot list rolebindings.authorization.openshift.io in the namespace "openshift": User "developer" cannot list rolebindings.authorization.openshift.io in project "openshift"

So I have added --as system:admin to see how that goes, but even that command failed:

[agajdosi@dhcp-24-156 minishift]$ oc adm policy remove-role-from-user system:image-builder developer -n openshift --as system:admin
error: unable to find target [developer]

Seems that user developer does not have that role assigned in namespace openshift, thus it cannot be removed. This is negative also from oc get rolebindings:

[agajdosi@dhcp-24-156 minishift]$ oc get rolebindings --as system:admin
NAME                      ROLE                               USERS     GROUPS                             SERVICE ACCOUNTS   SUBJECTS
shared-resource-viewers   openshift/shared-resource-viewer             system:authenticated                                  
system:deployers          /system:deployer                                                                deployer           
system:image-builders     /system:image-builder                                                           builder            
system:image-pullers      /system:image-puller                         system:serviceaccounts:openshift                  

Also since https://github.com/minishift/minishift-addons/commit/d13aaa66980127531f6f5fc915ec3a0b6302dec2 when the oc adm policy remove-role-from-user system:image-builder developer -n openshift command in remove was introduced I do not see any oc adm policy add-role-to-user which is done in openshift namespace.

The only role adding command in Che addon is done in mini-che namespace:

oc adm policy add-role-to-user admin developer -n #{NAMESPACE}

When I add the developer user to the role before addon removal, the removal goes well.

I thus believe the command oc adm policy remove-role-from-user system:image-builder developer -n openshift --as system:admin is extra here and could be removed. @garagatyi, @l0rd @sunix could you please confirm or give me a hint what I am missing? Would like to fix the issue.

EDIT: command might be needed for another version of Che, going to try. EDIT2: situation for Che 5 is the same, looks like no need for removal of role.

[l0rd]

123 should fix this issue

[coolbrg]

123 should fix this issue

Hoping @l0rd :crossed_fingers: