Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1784

Quay deployment was failed when operator was installed in single OCP namespace

XMLWordPrintable

      Description:

      This is an issue found when deploy quay 3.5 operator under single OCP namespace, then deploy quayRegistry was failed, get error message "sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:224: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:quay350:quay-operator" cannot list resource "namespaces" in API group "" at the cluster scope", see the following logs in Quay Operator POD.

      Note: this issue can't be reproduced when install quay operator for all OCP namespace.

      2021-03-25T03:23:53.904Z INFO controllers.QuayRegistry begin reconcile {"quayregistry": "quay350/quayaws3"}2021-03-25T03:23:53.904Z INFO controllers.QuayRegistry begin reconcile {"quayregistry": "quay350/quayaws3"}2021-03-25T03:23:54.005Z INFO controllers.QuayRegistry successfully retrieved referenced `configBundleSecret` {"quayregistry": "quay350/quayaws3", "configBundleSecret": "test-config-bundle", "resourceVersion": "58625"}2021-03-25T03:23:54.030Z INFO controllers.QuayRegistry cluster supports `Routes` API2021-03-25T03:23:54.631Z INFO controllers.QuayRegistry detected router canonical hostname: apps.quay-fips-604.qe.devcluster.openshift.com2021-03-25T03:23:57.403Z INFO controllers.QuayRegistry cluster does not support `ObjectBucketClaim` API2021-03-25T03:23:57.504Z INFO controllers.QuayRegistry cluster supports `ServiceMonitor` API2021-03-25T03:23:57.604Z INFO controllers.QuayRegistry cluster supports `PrometheusRules` APIE0325 03:23:57.606592       1 reflector.go:153] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:224: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:quay350:quay-operator" cannot list resource "namespaces" in API group "" at the cluster scopeE0325 03:23:58.608506       1 reflector.go:153] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:224: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:quay350:quay-operator" cannot list resource "namespaces" in API group "" at the cluster scopeE0325 03:23:59.610578       1 reflector.go:153] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:224: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:quay350:quay-operator" cannot list resource "namespaces" in API group "" at the cluster scopeE0325 03:24:00.684047       1 reflector.go:153] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:224: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:quay350:quay-operator" cannot list resource "namespaces" in API group "" at the cluster scopeE0325 03:24:01.687003       1 reflector.go:153] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:224: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:quay350:quay-operator" cannot list resource "namespaces" in API group "" at the cluster scope

      Quay Operator Version:

      oc get pod -n openshift-operators
NAME                                    READY   STATUS    RESTARTS   AGE
quay-operator.v3.5.0-5fcc69495c-nbl75   1/1     Running   0          28m

oc get pod quay-operator.v3.5.0-5fcc69495c-nbl75  -n openshift-operators -o json | jq '.spec.containers[0].image'
"registry.redhat.io/quay/quay-operator-rhel8@sha256:eecc51864da39abaa48ae8568592c2c6cf2fa5a8d908f9b2e13f58c238d9e19c"

      Index image:

      Index image v4.7: registry-proxy.engineering.redhat.com/rh-osbs/iib:59430

      QuayRegistry CR:

      apiVersion: quay.redhat.com/v1
kind: QuayRegistry
metadata:
  name: quayaws3
spec:
  configBundleSecret: test-config-bundle
  components:
    - kind: objectstorage
      managed: false

      Quay config bundle:

      SUPER_USERS:
  - quay
  - admin
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
  - default
DISTRIBUTED_STORAGE_PREFERENCE:
  - default
DISTRIBUTED_STORAGE_CONFIG:
  default:
    - S3Storage
    - s3_bucket: quayv3400
      storage_path: /quaydata
      s3_access_key: ***
      s3_secret_key: ***
      host: s3.us-east-2.amazonaws.com

      Steps:

      1. Deploy Quay 3.4.5 Operator under single OCP Namespace
      2. Create quay config bundle secret, see above
      3. Create new quayRegistry under target OCP namespace

      Expected Results:

      Quay was deployed successfully.

      Actual Results:

      Quay deployment was failed.

              rhn-coreos-amerdler Alec Merdler (Inactive)
              lzha1981 luffy zhang
              Dongbo Yan Dongbo Yan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: