Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-14596

More Syndesis are not able to be installed at the same time

XMLWordPrintable

    • % %
    • build3
    • Hide

      Install two syndesis at the same time on OCP 4.x.
      Reproducer script:

      docker run --entrypoint bash syndesis/syndesis-operator:1.11.0-20200903 -c "cat /usr/local/bin/syndesis-operator" > ./syndesis-operator
      chmod +x ./syndesis-operator
      wget https://raw.githubusercontent.com/syndesisio/fuse-online-install/1.11.x/default-cr.yml
      
      oc new-project syndesis
      oc new-project syndesis2
      
      ./syndesis-operator install cluster
      
      ./syndesis-operator grant -u developer -n syndesis
      ./syndesis-operator grant -u developer -n syndesis2
      
      ./syndesis-operator install operator -n syndesis
      ./syndesis-operator install operator -n syndesis2
      
      ./syndesis-operator install app -n syndesis --custom-resource ./default-cr.yml
      ./syndesis-operator install app -n syndesis2 --custom-resource ./default-cr.yml
      
      

      After that, in one namespace (syndesis or syndesis2) will be missing syndesis-jaeger pod and in the syndesis-operator will be following error:

      E0903 10:49:00.542035       1 reflector.go:178] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:224: Failed to list *v1.PackageManifest: packagemanifests.packages.operators.coreos.com is forbidden: User "system:serviceaccount:syndesis:syndesis-operator" cannot list resource "packagemanifests" in API group "packages.operators.coreos.com" in the namespace "syndesis"
      
      
      Show
      Install two syndesis at the same time on OCP 4.x. Reproducer script: docker run --entrypoint bash syndesis/syndesis- operator :1.11.0-20200903 -c "cat /usr/local/bin/syndesis- operator " > ./syndesis- operator chmod +x ./syndesis- operator wget https: //raw.githubusercontent.com/syndesisio/fuse-online-install/1.11.x/ default -cr.yml oc new -project syndesis oc new -project syndesis2 ./syndesis- operator install cluster ./syndesis- operator grant -u developer -n syndesis ./syndesis- operator grant -u developer -n syndesis2 ./syndesis- operator install operator -n syndesis ./syndesis- operator install operator -n syndesis2 ./syndesis- operator install app -n syndesis --custom-resource ./ default -cr.yml ./syndesis- operator install app -n syndesis2 --custom-resource ./ default -cr.yml After that, in one namespace (syndesis or syndesis2) will be missing syndesis-jaeger pod and in the syndesis-operator will be following error: E0903 10:49:00.542035 1 reflector.go:178] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:224: Failed to list *v1.PackageManifest: packagemanifests.packages.operators.coreos.com is forbidden: User "system:serviceaccount:syndesis:syndesis- operator " cannot list resource "packagemanifests" in API group "packages.operators.coreos.com" in the namespace "syndesis"

      During the test running, we noticed a problem when two Syndesis is installing at the same time. The syndesis-jaeger pod in one namespace is not able to appear and the operator pod has the following error in the log:

      E0903 10:49:00.542035       1 reflector.go:178] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:224: Failed to list *v1.PackageManifest: packagemanifests.packages.operators.coreos.com is forbidden: User "system:serviceaccount:syndesis:syndesis-operator" cannot list resource "packagemanifests" in API group "packages.operators.coreos.com" in the namespace "syndesis"
      

      When I have tried to install two syndesis sequentially, everything works.

      Probably the issue is caused by `syndesis-operator:install-olm` clusterrolebindings which contains information about one namespace but both syndesis installations are writing to it at the same time.

      - apiVersion: rbac.authorization.k8s.io/v1                                                               
        kind: ClusterRoleBinding                                                               
        metadata:                                                               
          labels:                                                               
            app: syndesis                                                               
            syndesis.io/app: syndesis                                                               
            syndesis.io/component: syndesis-operator                                                               
            syndesis.io/type: operator                                                               
          name: syndesis-operator:install-olm                                                               
        subjects:                                                               
        - kind: ServiceAccount                                                               
          name: syndesis-operator                                                               
          namespace: {{ .Namespace }}  
      

      Maybe if both installations create their own closterrolebindings (e.g. syndesis-<namespace>-operator:install-olm), the issue will be gone.

              parichar@redhat.com Paul Richardson
              mkralik@redhat.com Matej Kralik
              Matej Kralik Matej Kralik
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: