Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-14780

After replacing ClusterRoleBindings to RoleBindings, Kafka autodiscovery and PublicAPI don't work

    XMLWordPrintable

Details

    Description

      After replacing ClusterRoleBindings to RoleBindings, Kafka autodiscovery and PublicAPI don't work.

      After this PR https://github.com/syndesisio/syndesis/pull/9052/commits/f7cd153d495bd2a7e1f189786f4438c46b513aab, by default, there are created only RoleBindings (instead of ClusterRoleBindings) for Kafka and PublicOauthProxy ( syndesis-server-<namespace>-kafka and syndesis-<namespace>-auth-delegator). That causes these features doesn't work.

      For Kafka:
      During creating Kafka connection, there is an exception in the syndesis-meta

      2020-09-23 11:28:00.237  WARN 1 --- [  XNIO-1 task-1] i.s.c.kafka.KafkaMetaDataRetrieval       : Couldn't auto discover any kafka broker.
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.30.0.1/apis/kafka.strimzi.io/v1beta1/kafkas. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. kafkas.kafka.strimzi.io is forbidden: User "system:serviceaccount:mkralik2:syndesis-server" cannot list kafkas.kafka.strimzi.io at the cluster scope: no RBAC policy matched.
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:568) ~[kubernetes-client-4.9.0.jar!/:na]
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:505) ~[kubernetes-client-4.9.0.jar!/:na]
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:471) ~[kubernetes-client-4.9.0.jar!/:na]
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:430) ~[kubernetes-client-4.9.0.jar!/:na]
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:412) ~[kubernetes-client-4.9.0.jar!/:na]
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.listRequestHelper(BaseOperation.java:151) ~[kubernetes-client-4.9.0.jar!/:na]
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:621) ~[kubernetes-client-4.9.0.jar!/:na]
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:70) ~[kubernetes-client-4.9.0.jar!/:na]
	at io.syndesis.connector.kafka.KafkaMetaDataRetrieval.fetchProperties(KafkaMetaDataRetrieval.java:105) ~[connector-kafka-1.11.0-20200922.jar!/:1.11.0-20200922]
	at io.syndesis.connector.meta.v1.ConnectorEndpoint.properties(ConnectorEndpoint.java:74) [classes!/:1.11.0-20200922]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_201]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_201]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_201]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_201]
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
	at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:638) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:504) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
	at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:454) [resteasy-core-4.5.6.Final.jar!/:4.5.6.Final]
...

      For Public API:
      Public Oauth Proxy is not deployed successfully after the PublicApi is enabled in CR. There is and error in the syndesis-public-oauthproxy pod:

      2020/09/23 12:31:12 provider.go:290: Delegation of authentication and authorization to OpenShift is enabled for bearer tokens and client certificates.
2020/09/23 12:31:12 main.go:138: Invalid configuration:
  unable to load OpenShift configuration: unable to retrieve authentication information for tokens: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:mkralik:syndesis-public-oauthproxy" cannot create tokenreviews.authentication.k8s.io at the cluster scope: no RBAC policy matched

      When users use `--cluster` flag during installation (grant phase), they are created ClusterRoleBindings ( syndesis-server-<namespace>-kafka and syndesis-<namespace>-auth-delegator). In that case, Kafka Autodiscovery and PublicOauthProxy work as before.

      Attachments

        Issue Links

          is caused by

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-14596 More Syndesis are not able to be installed at the same time

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Done

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-14651 Autodiscovering Kafka works only for one Syndesis instance on the OCP at the same time

          • Critical - To be worked on immediately following BLOCKER issues.
          • Done

          Activity

            People

              parichar@redhat.com Paul Richardson
              mkralik@redhat.com Matej Kralik
              Matej Kralik Matej Kralik
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: