For Kafka:
During creating Kafka connection, there is an exception in the syndesis-meta
{code:java}
2020-09-23 11:28:00.237 WARN 1 --- [ XNIO-1 task-1] i.s.c.kafka.KafkaMetaDataRetrieval : Couldn't auto discover any kafka broker.
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.30.0.1/apis/kafka.strimzi.io/v1beta1/kafkas. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. kafkas.kafka.strimzi.io is forbidden: User "system:serviceaccount:mkralik2:syndesis-server" cannot list kafkas.kafka.strimzi.io at the cluster scope: no RBAC policy matched.
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:568) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:505) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:471) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:430) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:412) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.listRequestHelper(BaseOperation.java:151) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:621) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:70) ~[kubernetes-client-4.9.0.jar!/:na]
at io.syndesis.connector.kafka.KafkaMetaDataRetrieval.fetchProperties(KafkaMetaDataRetrieval.java:105) ~[connector-kafka-1.11.0-20200922.jar!/:1.11.0-20200922]
at io.syndesis.connector.meta.v1.ConnectorEndpoint.properties(ConnectorEndpoint.java:74) [classes!/:1.11.0-20200922]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_201]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_201]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_201]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_201]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:638) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:504) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:454) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
...
{code}
For Public API:
Public Oauth Proxy is not deployed successfully after the PublicApi is enabled in CR. There is and error in the syndesis-public-oauthproxy pod:
{code:java}
2020/09/23 12:31:12 provider.go:290: Delegation of authentication and authorization to OpenShift is enabled for bearer tokens and client certificates.
2020/09/23 12:31:12 main.go:138: Invalid configuration:
unable to load OpenShift configuration: unable to retrieve authentication information for tokens: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:mkralik:syndesis-public-oauthproxy" cannot create tokenreviews.authentication.k8s.io at the cluster scope: no RBAC policy matched
{code}
When users use \-\-cluster flag during installation (grant phase), they are created ClusterRoleBindings ( syndesis-server--kafka and syndesis--auth-delegator). In that case, Kafka Autodiscovery and PublicOauthProxy work as before.
After replacing ClusterRoleBindings to RoleBindings, Kafka autodiscovery and PublicAPI don't work.
After this PR https://github.com/syndesisio/syndesis/pull/9052/commits/f7cd153d495bd2a7e1f189786f4438c46b513aab, by default, there are created only RoleBindings (instead of ClusterRoleBindings) for Kafka and PublicOauthProxy ( syndesis-server-
For Kafka: During creating Kafka connection, there is an exception in the syndesis-meta {code:java} 2020-09-23 11:28:00.237 WARN 1 --- [ XNIO-1 task-1] i.s.c.kafka.KafkaMetaDataRetrieval : Couldn't auto discover any kafka broker. io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.30.0.1/apis/kafka.strimzi.io/v1beta1/kafkas. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. kafkas.kafka.strimzi.io is forbidden: User "system:serviceaccount:mkralik2:syndesis-server" cannot list kafkas.kafka.strimzi.io at the cluster scope: no RBAC policy matched. at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:568) ~[kubernetes-client-4.9.0.jar!/:na] at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:505) ~[kubernetes-client-4.9.0.jar!/:na] at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:471) ~[kubernetes-client-4.9.0.jar!/:na] at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:430) ~[kubernetes-client-4.9.0.jar!/:na] at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:412) ~[kubernetes-client-4.9.0.jar!/:na] at io.fabric8.kubernetes.client.dsl.base.BaseOperation.listRequestHelper(BaseOperation.java:151) ~[kubernetes-client-4.9.0.jar!/:na] at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:621) ~[kubernetes-client-4.9.0.jar!/:na] at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:70) ~[kubernetes-client-4.9.0.jar!/:na] at io.syndesis.connector.kafka.KafkaMetaDataRetrieval.fetchProperties(KafkaMetaDataRetrieval.java:105) ~[connector-kafka-1.11.0-20200922.jar!/:1.11.0-20200922] at io.syndesis.connector.meta.v1.ConnectorEndpoint.properties(ConnectorEndpoint.java:74) [classes!/:1.11.0-20200922] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_201] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_201] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_201] at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_201] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:638) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:504) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:454) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final] ... {code}
For Public API: Public Oauth Proxy is not deployed successfully after the PublicApi is enabled in CR. There is and error in the syndesis-public-oauthproxy pod: {code:java} 2020/09/23 12:31:12 provider.go:290: Delegation of authentication and authorization to OpenShift is enabled for bearer tokens and client certificates. 2020/09/23 12:31:12 main.go:138: Invalid configuration: unable to load OpenShift configuration: unable to retrieve authentication information for tokens: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:mkralik:syndesis-public-oauthproxy" cannot create tokenreviews.authentication.k8s.io at the cluster scope: no RBAC policy matched {code}
When users use
\-\-clusterflag during installation (grant phase), they are created ClusterRoleBindings ( syndesis-server-