CNTRLPLANE-194: add auth-api-bootstrap stage to bootkube.sh template #9424
Conversation
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
everettraven
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@everettraven: This pull request references CNTRLPLANE-194 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@everettraven: This pull request references CNTRLPLANE-194 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
everettraven
force-pushed
the
feature/auth-bootstrapping
branch
from
a47868c to
7613c38
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
Can't merge until openshift/cluster-authentication-operator#748 has merged first. /hold |
openshift-ci
bot
added
the
do-not-merge/hold
everettraven
force-pushed
the
feature/auth-bootstrapping
branch
from
7613c38 to
cc1703c
Compare
|
/lgtm |
|
/approve If you could update your commit message according to our guidelines that would be great: https://github.com/openshift/installer/blob/main/CONTRIBUTING.md#commit-message-format The text of your PR description should work well. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: patrickdillon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
using the cluster-authentication-operator render subcommand to render the RoleBindingRestriction CRD to the set of bootstrap manifests. Signed-off-by: Bryce Palmer <[email protected]>
everettraven
force-pushed
the
feature/auth-bootstrapping
branch
from
cc1703c to
9d0ac16
Compare
|
@patrickdillon I updated the commit message and added some flags that we recently added in https://github.com/openshift/cluster-authentication-operator/pull/748/files#diff-9169c482883c2b2e5f4038e6cd3c2505765da290271b6c1c01c5dc847266e59bR31-R38 This PR should still be held until the cluster-authentication-operator PR merges, but feel free to let me know if anything else needs any further updates. Thanks! |
|
/lgtm |
|
/hold cancel /retest |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@everettraven: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
openshift-merge-bot
bot
merged commit d9bef36
into
openshift:main
| render \ | ||
| --asset-output-dir=/assets/auth-api-bootstrap/manifests \ | ||
| --rendered-manifest-dir=/assets/manifests \ | ||
| --cluster-profile=${CLUSTER_PROFILE_ANNOTATION} \ |
There was a problem hiding this comment.
This seems to breaks nightlies:
Feb 24 08:13:18 ip-10-0-103-202 bootkube.sh[124202]: Rendering auth api manifests...
Feb 24 08:13:18 ip-10-0-103-202 bootkube.sh[124202]: /usr/local/bin/bootkube.sh: line 134: CLUSTER_PROFILE_ANNOTATION: unbound variable
Feb 24 08:13:18 ip-10-0-103-202 systemd[1]: bootkube.service: Main process exited, code=exited, status=1/FAILURE
Description
Adds a new bootstrapping stage for the cluster-authentication-operator to render the
RoleBindingRestrictionCRD to the set of bootstrap manifests.Motivation
We are working on moving the management of the
RoleBindingRestrictionCRD to the cluster-authentication-operator instead of it being managed by CVO as outlined in openshift/enhancements#1726. TheRoleBindingRestrictionCRD is required in the bootstrapping manifests as theauthorization.openshift.io/RestrictSubjectBindingsadmission plugin will reject creation ofsystem:*RoleBinding resources during the installation process if theRoleBindingRestrictionAPI does not exist.I did some testing to ensure that we can gradually transition ownership without clashing with CVO by merging, in order: