Problem Description

The install-authorino.sh script fails to install the Authorino Operator with a timeout error. The root cause is that the script unconditionally creates an OperatorGroup in the openshift-operators namespace, which conflicts with the pre-existing global-operators OperatorGroup that OpenShift creates by default.

OLM (Operator Lifecycle Manager) does not allow multiple OperatorGroups in the same namespace. When multiple OperatorGroups are detected, OLM refuses to process any subscriptions in that namespace, preventing the operator from being installed.

Error Message

[ERROR] Timeout waiting for Authorino Operator installation
[ERROR] Failed to install Authorino Operator

OLM operator logs show:

level=warning msg="fail to upgrade operator group status og=authorino-operator-group with condition Type:MultipleOperatorGroup Status:True ... Message:Multiple OperatorGroup found in the same namespace"

Steps to Reproduce

1. 1. Run the install-authorino.sh script on an OpenShift cluster
      2. Script creates authorino-operator-group in openshift-operators namespace (lines 82-89)
      3. This conflicts with the existing global-operators OperatorGroup
      4. OLM detects multiple OperatorGroups and refuses to create install plans
      5. Subscription is created but never processed
      6. Script times out after 180 seconds

Fix/Recommended Change

Modify scripts/install-authorino.sh lines 79-100 to check for existing OperatorGroups before creating a new one:

h1. Check if an OperatorGroup already exists in the namespace
local existing_og_count=$(oc get operatorgroup -n "$AUTHORINO_OPERATOR_NAMESPACE" --no-headers 2>/dev/null | wc -l | tr -d ' ')

if [ "$existing_og_count" -gt 0 ]; then
    local og_names=$(oc get operatorgroup -n "$AUTHORINO_OPERATOR_NAMESPACE" -o jsonpath='{.items[*].metadata.name}')
    echo_info "OperatorGroup(s) already exist in namespace '$AUTHORINO_OPERATOR_NAMESPACE': $og_names"
    echo_info "Skipping OperatorGroup creation (using existing)"
else
    echo_info "Creating OperatorGroup for AllNamespaces..."
    # Create OperatorGroup...
fi

Workaround

Before running the script, manually delete any duplicate OperatorGroups:

oc delete operatorgroup authorino-operator-group -n openshift-operators
oc delete subscription authorino-operator -n openshift-operators
sleep 5
h1. Then run the script

Or modify the script locally with the recommended fix before running.

Environment Information

• Repository: ros-helm-chart
• Git Branch: main
• Git Commit: 7ff078b513b7991f558e212184ed86fae3c6742d
• Affected File: scripts/install-authorino.sh (lines 79-100)
• Affected Version: IOP-POC-0.1
• Component: insights-on-prem
• OpenShift: Tested on OpenShift cluster with default global-operators OperatorGroup

Severity

Medium - The script fails completely but has a straightforward workaround. Affects initial deployment of Authorino for ROS-OCP backend authentication.