Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-4492

[1.14.4] - reconcile a namespace again with missing rolebinding

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Critical Critical
    • Pipelines 1.14.4
    • None
    • Operator
    • None
    • 1
    • False
    • None
    • False
    • SECFLOWOTL-129 - Better Error Handling for Non-Critical Issues in Namespace Installations by operator
    • The current jira tracks a fix for when the rolebinding pipelines-scc-rolebinding is deleted or missing, Tektonconfig controller should keep reconciling

      https://github.com/tektoncd/operator/blob/8f8f425e1fa75ffdad726b56fba21bcdab803440/pkg/reconciler/openshift/tektonconfig/rbac.go#L260C1-L266C1

       

              // Now we're left with namespaces that have already been reconciled.
        // We must make sure that the default SCC is in force via the ClusterRole.
        sccRoleBinding, err := r.kubeClientSet.RbacV1().RoleBindings(ns.Name).Get(ctx, pipelinesSCCRoleBinding, metav1.GetOptions{})
        if err != nil {
            return nil, err
        }

      in this section, we return an error if a "reconciled" namespace does not have the `pipelines-scc-rolebinding` - this acts as a verification and this errors leads to a false tektonconfig and a blocked reconcile loop stuck in a loop and hence a broken operator installation.

      piyushgarg001 has suggested that in this code snippet if the rolebinding does not exist, we should add the namespace back to reconciliation instead of bluntly returning the error - this will help in not-blocking the operator.

            jkhelil abdeljawed khelil
            concaf Shubham Minglani
            Piyush Garg Piyush Garg
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: