Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-14780

After replacing ClusterRoleBindings to RoleBindings, Kafka autodiscovery and PublicAPI don't work

    XMLWordPrintable

Details

    • Bug
    • Status: Done
    • Blocker
    • Resolution: Done
    • fuse-7.8-GA
    • fuse-7.8-GA
    • Fuse Online

    Description

      After replacing ClusterRoleBindings to RoleBindings, Kafka autodiscovery and PublicAPI don't work.

      After this PR https://github.com/syndesisio/syndesis/pull/9052/commits/f7cd153d495bd2a7e1f189786f4438c46b513aab, by default, there are created only RoleBindings (instead of ClusterRoleBindings) for Kafka and PublicOauthProxy ( syndesis-server-<namespace>-kafka and syndesis-<namespace>-auth-delegator). That causes these features doesn't work.

      For Kafka:
      During creating Kafka connection, there is an exception in the syndesis-meta

      2020-09-23 11:28:00.237  WARN 1 --- [  XNIO-1 task-1] i.s.c.kafka.KafkaMetaDataRetrieval       : Couldn't auto discover any kafka broker.
      io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.30.0.1/apis/kafka.strimzi.io/v1beta1/kafkas. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. kafkas.kafka.strimzi.io is forbidden: User "system:serviceaccount:mkralik2:syndesis-server" cannot list kafkas.kafka.strimzi.io at the cluster scope: no RBAC policy matched.
      	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:568) ~[kubernetes-client-4.9.0.jar!/:na]
      	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:505) ~[kubernetes-client-4.9.0.jar!/:na]
      	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:471) ~[kubernetes-client-4.9.0.jar!/:na]
      	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:430) ~[kubernetes-client-4.9.0.jar!/:na]
      	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:412) ~[kubernetes-client-4.9.0.jar!/:na]
      	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.listRequestHelper(BaseOperation.java:151) ~[kubernetes-client-4.9.0.jar!/:na]
      	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:621) ~[kubernetes-client-4.9.0.jar!/:na]
      	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:70) ~[kubernetes-client-4.9.0.jar!/:na]
      	at io.syndesis.connector.kafka.KafkaMetaDataRetrieval.fetchProperties(KafkaMetaDataRetrieval.java:105) ~[connector-kafka-1.11.0-20200922.jar!/:1.11.0-20200922]
      	at io.syndesis.connector.meta.v1.ConnectorEndpoint.properties(ConnectorEndpoint.java:74) [classes!/:1.11.0-20200922]
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_201]
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_201]
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_201]
      	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_201]
      	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
      	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
      	at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:638) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
      	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:504) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
      	at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:454) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
      ...
      

      For Public API:
      Public Oauth Proxy is not deployed successfully after the PublicApi is enabled in CR. There is and error in the syndesis-public-oauthproxy pod:

      2020/09/23 12:31:12 provider.go:290: Delegation of authentication and authorization to OpenShift is enabled for bearer tokens and client certificates.
      2020/09/23 12:31:12 main.go:138: Invalid configuration:
        unable to load OpenShift configuration: unable to retrieve authentication information for tokens: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:mkralik:syndesis-public-oauthproxy" cannot create tokenreviews.authentication.k8s.io at the cluster scope: no RBAC policy matched
      

      When users use `--cluster` flag during installation (grant phase), they are created ClusterRoleBindings ( syndesis-server-<namespace>-kafka and syndesis-<namespace>-auth-delegator). In that case, Kafka Autodiscovery and PublicOauthProxy work as before.

      Attachments

        Issue Links

          Activity

            People

              parichar@redhat.com Paul Richardson
              mkralik@redhat.com Matej Kralik
              Matej Kralik Matej Kralik
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: