-
Bug
-
Resolution: Done
-
Blocker
-
fuse-7.8-GA
-
False
-
False
-
%
-
build5
-
+
-
Automated
-
Undefined
-
After replacing ClusterRoleBindings to RoleBindings, Kafka autodiscovery and PublicAPI don't work.
After this PR https://github.com/syndesisio/syndesis/pull/9052/commits/f7cd153d495bd2a7e1f189786f4438c46b513aab, by default, there are created only RoleBindings (instead of ClusterRoleBindings) for Kafka and PublicOauthProxy ( syndesis-server-<namespace>-kafka and syndesis-<namespace>-auth-delegator). That causes these features doesn't work.
For Kafka:
During creating Kafka connection, there is an exception in the syndesis-meta
2020-09-23 11:28:00.237 WARN 1 --- [ XNIO-1 task-1] i.s.c.kafka.KafkaMetaDataRetrieval : Couldn't auto discover any kafka broker.
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.30.0.1/apis/kafka.strimzi.io/v1beta1/kafkas. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. kafkas.kafka.strimzi.io is forbidden: User "system:serviceaccount:mkralik2:syndesis-server" cannot list kafkas.kafka.strimzi.io at the cluster scope: no RBAC policy matched.
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:568) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:505) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:471) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:430) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:412) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.listRequestHelper(BaseOperation.java:151) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:621) ~[kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:70) ~[kubernetes-client-4.9.0.jar!/:na]
at io.syndesis.connector.kafka.KafkaMetaDataRetrieval.fetchProperties(KafkaMetaDataRetrieval.java:105) ~[connector-kafka-1.11.0-20200922.jar!/:1.11.0-20200922]
at io.syndesis.connector.meta.v1.ConnectorEndpoint.properties(ConnectorEndpoint.java:74) [classes!/:1.11.0-20200922]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_201]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_201]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_201]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_201]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:638) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:504) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:454) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
...
For Public API:
Public Oauth Proxy is not deployed successfully after the PublicApi is enabled in CR. There is and error in the syndesis-public-oauthproxy pod:
2020/09/23 12:31:12 provider.go:290: Delegation of authentication and authorization to OpenShift is enabled for bearer tokens and client certificates. 2020/09/23 12:31:12 main.go:138: Invalid configuration: unable to load OpenShift configuration: unable to retrieve authentication information for tokens: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:mkralik:syndesis-public-oauthproxy" cannot create tokenreviews.authentication.k8s.io at the cluster scope: no RBAC policy matched
When users use `--cluster` flag during installation (grant phase), they are created ClusterRoleBindings ( syndesis-server-<namespace>-kafka and syndesis-<namespace>-auth-delegator). In that case, Kafka Autodiscovery and PublicOauthProxy work as before.
- is caused by
-
ENTESB-14596 More Syndesis are not able to be installed at the same time
- Done
-
ENTESB-14651 Autodiscovering Kafka works only for one Syndesis instance on the OCP at the same time
- Done