Pelorus Operator v0.0.3 is broken on the RBAC permissions.

[mpryc]

Pelorus Operator version 0.0.3 available in the OpenShift community marketplace is broken. It do installs fine, but while trying to create pelorus instance it gives error:

        failed to install release: rendered manifests contain a resource that
        already exists. Unable to continue with install: could not get
        information about the resource ClusterRoleBinding "pelorus-grafana" in
        namespace "": clusterrolebindings.rbac.authorization.k8s.io
        "pelorus-grafana" is forbidden: User
        "system:serviceaccount:pelorus:pelorus-operator-controller-manager"
        cannot get resource "clusterrolebindings" in API group
        "rbac.authorization.k8s.io" at the cluster scope

This is due to the wrong RBAC that are within CSV for Pelorus project. They were created using operator-sdk, but looks like very different RBAC are when creating with operator-sdk that has access to the OCP cluster (via export KUBECONFIG or oc login) or without.

The difference between rules:
Without being logged, we have additional fields (ignoring all the rest fields, as the file is pretty long and does not have same order of rbac privs):

      clusterPermissions:
      - rules:
        - apiGroups:
          - ""
          resources:
          - pods
          - services
          - services/finalizers
          - endpoints
          - persistentvolumeclaims
          - events
          - configmaps
          - secrets
          verbs:
          - create
          - delete
          - get
          - list
          - patch
          - update
          - watch
        - apiGroups:
          - apps
          resources:
          - deployments
          - daemonsets
          - replicasets
          - statefulsets
          verbs:
          - create
          - delete
          - get
          - list
          - patch
          - update
          - watch

With being logged, we have additional fields (ignoring all the rest fields, as the file is pretty long and does not have same order of rbac privs):

      clusterPermissions:
      - rules:
        - apiGroups:
          - rbac.authorization.k8s.io
          resources:
          - clusterrolebindings
          - clusterroles
          verbs:
          - '*'
        - apiGroups:
          - rbac.authorization.k8s.io
          resources:
          - rolebindings
          - roles
          verbs:
          - '*'
        - apiGroups:
          - apps.openshift.io
          resources:
          - deploymentconfigs
          verbs:
          - '*'
        - apiGroups:
          - integreatly.org
          resources:
          - grafanadashboards
          - grafanadatasources
          - grafanas
          verbs:
          - '*'
        - apiGroups:
          - image.openshift.io
          resources:
          - imagestreams
          verbs:
          - '*'
        - apiGroups:
          - monitoring.coreos.com
          resources:
          - prometheuses
          - prometheusrules
          - servicemonitors
          verbs:
          - '*'
        - apiGroups:
          - route.openshift.io
          resources:
          - routes
          verbs:
          - '*'
        - apiGroups:
          - ""
          resources:
          - configmaps
          - secrets
          - serviceaccounts
          - services
          verbs:
          - '*'

[mateusoliveira43]

Needs to be updated in OCP catalog to close it

[mpryc]

The problem is also with the imagestream tags which are pointing to stable:

We need to test the fix, however currently there are some problems installing operators from the marketplace.

diff --git a/pelorus-operator/helm-charts/pelorus/subcharts/exporters/templates/_deploymentconfig.yaml b/pelorus-operator/helm-charts/pelorus/subcharts/exporters/templates/_deploymentconfig.yaml
index 092c20e..9567d36 100644
--- a/pelorus-operator/helm-charts/pelorus/subcharts/exporters/templates/_deploymentconfig.yaml
+++ b/pelorus-operator/helm-charts/pelorus/subcharts/exporters/templates/_deploymentconfig.yaml
@@ -60,7 +60,7 @@ spec:
 
             {{- if and (not .source_ref) (not .source_url) }}
             - name: PELORUS_IMAGE_TAG
-              value: {{ .app_name }}:{{ .image_tag | default "stable" }}
+              value: {{ .app_name }}:{{ .image_tag | default "v2.0.7" }}
             {{- end }}
 
             {{- if .extraEnv }}
@@ -90,7 +90,7 @@ spec:
         {{- if or .source_ref .source_url }}
         name: {{ .app_name }}:latest
         {{- else }}
-        name: {{ .app_name }}:{{ .image_tag | default "stable" }}
+        name: {{ .app_name }}:{{ .image_tag | default "v2.0.7" }}
         {{- end }}
     type: ImageChange
 {{- end }}
diff --git a/pelorus-operator/helm-charts/pelorus/subcharts/exporters/templates/_imagestream.yaml b/pelorus-operator/helm-charts/pelorus/subcharts/exporters/templates/_imagestream.yaml
index aafabfb..5c12332 100644
--- a/pelorus-operator/helm-charts/pelorus/subcharts/exporters/templates/_imagestream.yaml
+++ b/pelorus-operator/helm-charts/pelorus/subcharts/exporters/templates/_imagestream.yaml
@@ -6,5 +6,5 @@ metadata:
   labels:
     app.kubernetes.io/name: {{ .app_name }}
     app: {{ .app_name }}
-  name: {{ .app_name }}
+  name: {{ .app_name }}:{{ .image_tag | default "v2.0.7" }}
 {{- end }}

[mpryc]

Pelorus Operator 0.0.4 was merged that contains fix, here are some notes what we missed in 0.0.3.

1. During our pelorus-operator creation using ./scripts/create_pelorus_operator there needs to be a working OCP cluster and we need to be logged in that cluster or the KUBECONFIG needs to be in our environment variables, otherwise operator-sdk will create wrong RBAC entries.

2. The dependent operators must be installed in a cluster from previous point, so the operator-sdk knows about custom CRDs while creating RBAC entries for them!

3. After creating test operator, we must store this for testing in the separate quay.io organization. Each time we test the operator we must bump the version in that test organization, so let's say we want to create our next version which is 0.0.4 in the pelorus quay.io org. Steps we would want to take:

• change our ./scripts/create_pelorus_operator to point to our OPERATOR_ORG_NAME=
• create pelorus-operator and pelorus-operator-bundle repositories in our quay.io account
• log in in the terminal to that account podman login
• create 0.0.4 operator using -v option passed to our create_pelorus_operator script
• make podman-build && make bundle-build from the operator directory
• make podman-push && make bundle-push from the operator directory
• Ensure cluster do have pelorus namespace and the pelorus operator, grafana operator and prometheus operator together with previous instances are not there.
• Test the operator by running: operator-sdk run bundle quay.io/<YOUR_ORG_NAME>/pelorus-operator-bundle:v0.0.4 --namespace pelorus

4. If the operator is not working, you need to create next version e.g. 0.0.5 in your org and:

• operator-sdk cleanup pelorus-operator --namespace pelorus
• operator-sdk run bundle quay.io/<YOUR_ORG_NAME>/pelorus-operator-bundle:v0.0.5 --namespace pelorus
• Do not recreate same image tag as the OpenShift is caching the tags and you will end-up testing wrong operator.

5. Once you are happy with the changes, create operator from the sources pointing to a pelorus ORG and propose the files from that operator to the marketplace.

[mateusoliveira43]

Pelorus Operator 0.0.4 was released and fixes the problem, but 0.0.3 is broken. Please update to version 0.0.4.

[mpryc]

Closing. The operator 0.0.4 fixes the issue found in 0.0.3. PR #851 contains screenshot of the running pods from the deployment to confirm it's fixed.