Getting error on removing che addon
coolbrg opened this issue · 6 comments
We are getting following error in removing che addon:
$ minishift addons remove che
-- Removing addon 'che':
[CHE] Removing Che server Template.
[CHE] Removing mini-che project..error: unable to find target [developer]
Error removing the add-on: Error executing command 'oc adm policy remove-role-from-user system:image-builder developer -n openshift'.
Not sure what happened in recent time, but it was working fine before.
Also, it would be great if we have che integration test #104. Then we can easily catch these sort of issue in nightly job https://ci.centos.org/job/minishift-addons-nightly-b2d
See https://issues.jboss.org/browse/CDK-287
/cc @garagatyi, @l0rd @sunix
@budhrg How much time given between the apply command and remove command. Not sure if you had enabled it.
How much time given between the apply command and remove command. Not sure if you had enabled it.
10mins and tried with a little time gap in apply and remove.
Any update here @garagatyi, @l0rd @sunix ?
@budhrg, @LalatenduMohanty
I have looked on this and found the oc command has problem listing roles:
[agajdosi@dhcp-24-156 minishift]$ oc adm policy remove-role-from-user system:image-builder developer -n openshift
Error from server (Forbidden): rolebindings.authorization.openshift.io is forbidden: User "developer" cannot list rolebindings.authorization.openshift.io in the namespace "openshift": User "developer" cannot list rolebindings.authorization.openshift.io in project "openshift"
So I have added --as system:admin to see how that goes, but even that command failed:
[agajdosi@dhcp-24-156 minishift]$ oc adm policy remove-role-from-user system:image-builder developer -n openshift --as system:admin
error: unable to find target [developer]
Seems that user developer does not have that role assigned in namespace openshift, thus it cannot be removed. This is negative also from oc get rolebindings:
[agajdosi@dhcp-24-156 minishift]$ oc get rolebindings --as system:admin
NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS
shared-resource-viewers openshift/shared-resource-viewer system:authenticated
system:deployers /system:deployer deployer
system:image-builders /system:image-builder builder
system:image-pullers /system:image-puller system:serviceaccounts:openshift
Also since d13aaa6 when the oc adm policy remove-role-from-user system:image-builder developer -n openshift command in remove was introduced I do not see any oc adm policy add-role-to-user which is done in openshift namespace.
The only role adding command in Che addon is done in mini-che namespace:
oc adm policy add-role-to-user admin developer -n #{NAMESPACE}
When I add the developer user to the role before addon removal, the removal goes well.
I thus believe the command oc adm policy remove-role-from-user system:image-builder developer -n openshift --as system:admin is extra here and could be removed. @garagatyi, @l0rd @sunix could you please confirm or give me a hint what I am missing? Would like to fix the issue.
EDIT: command might be needed for another version of Che, going to try.
EDIT2: situation for Che 5 is the same, looks like no need for removal of role.