CNTRLPLANE-71: update cao to manage rolebindingrestriction crd #748
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
openshift-merge-robot
added
the
needs-rebase
everettraven
force-pushed
the
feature/manage-rbrs
branch
from
8e0b413 to
78efc35
Compare
everettraven
force-pushed
the
feature/manage-rbrs
branch
2 times, most recently
from
7727139 to
990efd5
Compare
openshift-merge-robot
removed
the
needs-rebase
everettraven
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@everettraven: This pull request references CNTRLPLANE-71 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/retest |
everettraven
force-pushed
the
feature/manage-rbrs
branch
from
3b82ddc to
d9bdc61
Compare
|
After some testing in conjunction with openshift/api#2138 , it does appear that the /hold |
openshift-ci
bot
added
the
do-not-merge/hold
everettraven
force-pushed
the
feature/manage-rbrs
branch
from
43fe0be to
d6cffc8
Compare
|
@everettraven: This pull request references CNTRLPLANE-71 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
After testing with some related PRs, this PR should be ready to go. Removing the hold. Tested standing up a cluster with this PR and openshift/installer#9424 as well as this PR, openshift/installer#9424, and openshift/api#2138 /hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
everettraven
force-pushed
the
feature/manage-rbrs
branch
2 times, most recently
from
c3d08c0 to
0449aa4
Compare
everettraven
force-pushed
the
feature/manage-rbrs
branch
2 times, most recently
from
a660be5 to
7364ff4
Compare
so that it can be added to the set of resources managed by the staticresourcecontroller. Signed-off-by: Bryce Palmer <[email protected]>
… and keep it up to date Signed-off-by: Bryce Palmer <[email protected]>
Signed-off-by: Bryce Palmer <[email protected]>
Signed-off-by: Bryce Palmer <[email protected]>
everettraven
force-pushed
the
feature/manage-rbrs
branch
from
7364ff4 to
8985ed6
Compare
| @@ -15,7 +15,7 @@ include $(addprefix ./vendor/github.com/openshift/build-machinery-go/make/, \ | |||
| # | |||
| # Example: | |||
| # make check | |||
| check: | verify test-unit | |||
| check: | verify verify-bindata test-unit | |||
There was a problem hiding this comment.
Just to make sure -- CI will run check which means that bindata will also be verified, and in case there's a diff between the api copy and the local copy, we'll get a failed test, right?
There was a problem hiding this comment.
Looking at https://github.com/openshift/release/blob/master/ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-master.yaml I don't actually think check is run in CI explicitly, but I added this here since it seemed like a natural fit.
I'll plan to add a new CI check to run this make target today (although it will fail until this PR is merged).
There was a problem hiding this comment.
Created openshift/release#61456 to add verify-bindata as an explicit CI check
|
/lgtm |
to add the rolebindingrestriction crd as a bootstrap manifest Signed-off-by: Bryce Palmer <[email protected]>
everettraven
force-pushed
the
feature/manage-rbrs
branch
from
8985ed6 to
2dc36e0
Compare
|
/retest |
|
/retest-required |
|
@everettraven: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/retest-required |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: everettraven, liouk The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
openshift-merge-bot
bot
merged commit 8664bab
into
openshift:master
|
[ART PR BUILD NOTIFIER] Distgit: ose-cluster-authentication-operator |
Description
Updates the cluster-authentication-operator to manage the
RoleBindingRestrictionCRD.More specifically, this PR:
authorization.openshift.io/RoleBindingRestrictionCRD manifest from https://github.com/openshift/apiRoleBindingRestrictionCRD manifests to thebindata/directory so the manifest can be embedded into the binary using the embed FS.bindata/directory is up to dateRoleBindingRestrictionCRD manifest inbindata/is up to date based on the latest vendored manifest.oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yamlfile to the list of manifest files managed by the static resource controllerrendersubcommand to be used by the openshift installer during bootstrapping because theRoleBindingRestrictionCRD is required during bootstrapping. Without it, theauthorization.openshift.io/RestrictSubjectBindingsadmission plugin will reject creation ofsystem:*RoleBindings during the installation process.Motivation
Update the cluster-authentication-operator to manage the
RoleBindingRestrictionCRD, as outlined in openshift/enhancements#1726, to allow for this CRD to be removed from the cluster when the oauth stack is no longer desired.