Changing ASB configuration should not be a requirement

Question

Changing ASB configuration should not be a requirement

Opened this issue 6 years ago · 1 comments

Currently a manual step at cluster scope is required in order to have Che provisioned correctly: Ansible Service Broker should be configured with openshift sandbox_role set to admin.

This makes Che installation harder and impossible in some cases.

To get rid of this manual step we could have OpenShift teams to default sandbox_role to admin. This is what this issue is about openshift/openshift-ansible#9231

If this won't work we should look at

why we need a RoleBinding with role_ref_kind: ClusterRole instead of role_ref_kind: Role and
if sandbox_role set to edit would be enough to create a RoleBindings with role_ref_kind: Role

Answer 1 · 2018-07-30T12:28:54.000Z

After the discussions on openshift/openshift-ansible#9231 we can conclude that we cannot get rid of a manual step when installing Che using the ansible service broker.

But rather than asking users to change the configuration of the ASB as indicated today in the README (that has an effect on the whole cluster) we should rather ask users to manually create the ServiceAccount and RoleBinding. That is something that can be done before or after the provisioning of the APB if we set ignore_errors: yes for the RoleBinding creation step.

Summarizing this issue subtasks are:

Set ignore_errors: yes for the RoleBinding creation step
Update the docker image tagged latest to make sure that we don't need to switch to the canary stream
Update README: instead of change ASB configuration admins should manually create the RoleBinding