OCP issue with "operator-tls" secret creation
Closed this issue · 2 comments
On OCP, when the operator attempts to create the operator-tls secret, the following error is observed (This is after adding necessary SCCs and istio-cni NetworkAttachmentDefinitions to allow it to get this far). This does not occur on AKS, EKS, or K3D in my experience.
I0726 14:46:07.152013 1 csr.go:215] Certificate successfully fetched, creating secret with Private key and Certificate
E0726 14:46:07.153792 1 operator.go:247] Unexpected error during the creation of the secret/operator-tls: secrets "operator-tls" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>
I0726 14:46:07.153807 1 operator.go:105] Waiting for the operator certificates to be issued secrets "operator-tls" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>
The ownerReference section of this secret on a working cluster:
ownerReferences:
- apiVersion: apps/v1
kind: Deployment
name: minio-operator
uid: 87867a2b-2b89-49cc-acee-76eac6ac4af8
controller: true
blockOwnerDeletion: true
So if I understand correctly, the owner of the secret is the minio-operator deployment, which OCP doesn't like because finalizers cannot be set on deployments? Not sure if the solution is as simple as setting the blockOwnerDeletion value to false instead, but wanted to put this out there in case others have run into it or have ideas.
samvongsay commented:
Marking this solved. Minio is installed on OCP without encountering this error. Confirmed by @alieberman
Issue 'OCP issue with "operator-tls" secret creation' closed from GitLab side