-
Bug
-
Resolution: Done
-
Undefined
-
None
-
Unspecified
-
False
-
-
False
-
-
https://github.com/ansible-collections/kubernetes.core/issues/623
<!--- Verify first that your issue is not already reported on GitHub -->
<!--- Also test if the latest release and devel branch are affected too -->
<!--- Complete all sections as described, this form is processed automatically -->
-
-
-
-
- SUMMARY
We have a role to create/delete Openshift projects that has been working fine for many Ansible releases. But when attempting to upgrade to Ansible 7, it suddenly fails when attempting to create a new project. The Openshift project API is very confusing, and not idempotent, but this used to work. To create an Openshift project, a user must CREATE a ProjectRequest, which will make the cluster create a new Project (Namespace). This may only happen once, and a user is not allowed to modify (PATCH) any of the project resources.
- SUMMARY
-
-
-
With Ansible 7, the attempt to create the project fails with the following error (example):
````
TASK [openshift_project : Create ProjectRequest] *******************************
fatal: [kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com]: FAILED! => changed=false
msg: 'Failed to patch object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"projectrequests.project.openshift.io \\"kafka-rev-ansible-7-g5cfyt
" is forbidden: User \\"system:serviceaccount:kafka:gitlab
" cannot patch resource \\"projectrequests
" in API group \\"project.openshift.io
" at the cluster scope","reason":"Forbidden","details":
,"code":403}\n'''
reason: Forbidden
````
-
-
-
-
- ISSUE TYPE
-
-
-
- Bug Report
-
-
-
-
- COMPONENT NAME
<!--- Write the short name of the module, plugin, task or feature below, use your best guess if unsure -->
`kubernetes.core.k8s`
- COMPONENT NAME
-
-
-
-
-
-
-
- ANSIBLE VERSION
<!--- Paste verbatim output from "ansible --version" between quotes -->
```paste below
ansible [core 2.14.5]
config file = None
configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.11.3 (main, May 4 2023, 05:53:32) [GCC 10.2.1 20210110] (/usr/local/bin/python)
jinja version = 3.1.2
libyaml = True
```
- ANSIBLE VERSION
-
-
-
-
-
-
-
- COLLECTION VERSION
<!--- Paste verbatim output from "ansible-galaxy collection list <namespace>.<collection>" between the quotes
for example: ansible-galaxy collection list kubernetes.core
-->
```paste below
- COLLECTION VERSION
-
-
-
- /usr/local/lib/python3.11/site-packages/ansible_collections
Collection Version-
-
-
-
-
-
-
-
-
-
-
-
-
- -------
kubernetes.core 2.4.0
```
- -------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- CONFIGURATION
<!--- Paste verbatim output from "ansible-config dump --only-changed" between quotes -->
```paste below
ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True
CONFIG_FILE() = None
DEFAULT_HOST_LIST(env: ANSIBLE_INVENTORY) = ['/builds/kafka/provisioning/k8s/inventories/review.yml']
DEFAULT_LOAD_CALLBACK_PLUGINS(env: ANSIBLE_LOAD_CALLBACK_PLUGINS) = True
DEFAULT_ROLES_PATH(env: ANSIBLE_ROLES_PATH) = ['/builds/kafka/provisioning/k8s/roles']
DEFAULT_STDOUT_CALLBACK(env: ANSIBLE_STDOUT_CALLBACK) = yaml
HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False
INTERPRETER_PYTHON(env: ANSIBLE_PYTHON_INTERPRETER) = auto
```
- CONFIGURATION
-
-
-
-
-
-
-
- OS / ENVIRONMENT
<!--- Provide all relevant information below, e.g. target OS versions, network device firmware, etc. -->
N/A
- OS / ENVIRONMENT
-
-
-
-
-
-
-
- STEPS TO REPRODUCE
<!--- Describe exactly how to reproduce the problem, using a minimal test-case -->
- STEPS TO REPRODUCE
-
-
-
Pre-requirements: An Openshift cluster with `self-provisioner` access. The project/namespace that we attempt to create must NOT already exist.
<!--- Paste example playbooks or commands between quotes below -->
```yaml
- name: Create ProjectRequest
kubernetes.core.k8s:
api_version: project.openshift.io/v1
kind: ProjectRequest
name: "{{ kubernetes_namespace }}"
resource_definition:
description: "{{ kubernetes_namespace_description }}"
displayName: "{{ kubernetes_namespace_display_name }}"
```
<!--- HINT: You can paste gist.github.com links for larger files -->
-
-
-
-
- EXPECTED RESULTS
<!--- Describe what you expected to happen when running the steps above -->
The project request is CREATED in the Openshift API without error.
- EXPECTED RESULTS
-
-
-
-
-
-
-
- ACTUAL RESULTS
<!--- Describe what actually happened. If possible run with extra verbosity (-vvvv) -->
The attempt to create the project request fails with error (example): `msg: 'Failed to patch object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"projectrequests.project.openshift.io \\"kafka-rev-ansible-7-g5cfyt
" is forbidden: User \\"system:serviceaccount:kafka:gitlab
" cannot patch resource \\"projectrequests
" in API group \\"project.openshift.io
" at the cluster scope","reason":"Forbidden","details": {"name":"kafka-rev-ansible-7-g5cfyt","group":"project.openshift.io","kind":"projectrequests"},"code":403}\n'''
reason: Forbidden`. *Note*: the project is actually created by this failing task.
- ACTUAL RESULTS
-
-
-
<!--- Paste verbatim command output between quotes -->
```paste below
TASK [openshift_project : Create ProjectRequest] *******************************
task path: /builds/kafka/provisioning/k8s/roles/openshift_project/tasks/main.yml:37
redirecting (type: filter) ansible.builtin.json_query to community.general.json_query
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> ESTABLISH LOCAL CONNECTION FOR USER: ansible
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c 'echo ~ansible && sleep 0'
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ansible/.ansible/tmp `"&& mkdir "` echo /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677 `" && echo ansible-tmp-1684583776.8747976-142-179954988027677="` echo /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677 `" ) && sleep 0'
Loading collection cloud.common from /usr/local/lib/python3.11/site-packages/ansible_collections/cloud/common
Using module file /usr/local/lib/python3.11/site-packages/ansible_collections/kubernetes/core/plugins/modules/k8s.py
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> PUT /home/ansible/.ansible/tmp/ansible-local-96xec_0y7q/tmp9_a4lciu TO /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/AnsiballZ_k8s.py
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c 'chmod u+x /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/ /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/AnsiballZ_k8s.py && sleep 0'
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c '/usr/bin/python3 /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/AnsiballZ_k8s.py && sleep 0'
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c 'rm -f -r /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/runner.py", line 68, in run_module
result = perform_action(svc, definition, module.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/runner.py", line 159, in perform_action
instance = svc.update(resource, definition, existing)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/service.py", line 426, in update
raise exception
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/service.py", line 413, in update
k8s_obj = self.patch_resource(
^^^^^^^^^^^^^^^^^^^^
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/service.py", line 165, in patch_resource
raise CoreException(msg) from e
fatal: [kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com]: FAILED! => changed=false
invocation:
module_args:
api_key: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
api_version: project.openshift.io/v1
append_hash: false
apply: false
ca_cert: null
client_cert: null
client_key: null
context: null
continue_on_error: false
delete_options: null
force: false
generate_name: null
host: https://api.stas-test.mycompany.com
impersonate_groups: null
impersonate_user: null
kind: ProjectRequest
kubeconfig: null
label_selectors: null
merge_type: null
name: kafka-rev-ansible-7-g5cfyt
namespace: kafka-rev-ansible-7-g5cfyt
no_proxy: null
password: null
persist_config: null
proxy: null
proxy_headers: null
resource_definition:
apiVersion: project.openshift.io/v1
description: ''
displayName: ''
kind: ProjectRequest
metadata:
name: kafka-rev-ansible-7-g5cfyt
namespace: kafka-rev-ansible-7-g5cfyt
server_side_apply: null
src: null
state: present
template: null
username: null
validate: null
validate_certs: null
wait: false
wait_condition: null
wait_sleep: 5
wait_timeout: 120
msg: 'Failed to patch object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"projectrequests.project.openshift.io \\"kafka-rev-ansible-7-g5cfyt
" is forbidden: User \\"system:serviceaccount:kafka:gitlab
" cannot patch resource \\"projectrequests
" in API group \\"project.openshift.io
" at the cluster scope","reason":"Forbidden","details":
,"code":403}\n'''
reason: Forbidden
PLAY RECAP *********************************************************************
kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com : ok=1 changed=0 unreachable=0 failed=1 skipped=2 rescued=0 ignored=0
localhost : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
```