Re-running pipelines in the OpenShift UI picks up default SA instead of the one last used
Closed this issue · 2 comments
Problem:
I have my own service account that I deploy to OpenShift along with the pipeline components. When I try and run the pipeline from the UI, there is no way to specify the service account I want to use and when I re-run an existing pipeline, the service account that was previously used for it, gets changed to the default service account.
Expected:
- Be asked to specify service account to use, similar to how you are asked for the parameter values, when selecting
Starton a pipeline on thePipelinespage. - Use the last specified service account when selecting
Rerunon a pipeline on thePipeline Runspage or when selectingStart Last Runon a pipeline on thePipelinespage.
Steps to Reproduce:
- Install the OpenShift Pipelines Operator from OperatorHub.
- Create a project called
test-pipelines. - Deploy the following resources:
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-service-account
namespace: test-pipelines
---
apiVersion: tekton.dev/v1alpha1
kind: Pipeline
metadata:
name: test-pipeline
namespace: test-pipelines
spec:
params:
- name: message
description: The message to echo
tasks:
- name: echo-message
taskRef:
name: echo
params:
- name: message
value: "$(params.message)"
---
apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
name: echo
namespace: test-pipelines
spec:
inputs:
params:
- name: message
description: The message to echo
steps:
- name: output-message
image: bash
command: ["bash", "-c"]
args:
- echo -e '$(inputs.params.message)'- When you try and run it from the UI, it will use the default service account.
- Deploy the pipelinerun from CLI:
apiVersion: tekton.dev/v1alpha1
kind: PipelineRun
metadata:
generateName: run-deploy-pipeline-
namespace: test-pipelines
spec:
serviceAccountName: test-service-account
pipelineRef:
name: test-pipeline
params:
- name: message
value: "Hello World!"- This will use the specified service account as expected.
- Re-run this pipeline from the UI.
- You will see in the
YAMLpage, that the service account is changed to the default one.
Versions:
OpenShift: 4.3.0
OpenShift Pipelines Operator: 0.10.7
Hi @Cottonglow
I investigated the issue you're having and I believe I understand where the issue is at. On the plus side, it appears to already been addressed. It might be in 4.3.1 but based on the Bugzilla logged (BZ 1788201) the automated reporting tool says it is in 4.3.2 (RHBA-2020:0492).
For posterity (and if you're curious) the issue is a result of the OpenShift Pipeline Operator 0.9.x (Tekton Pipelines 0.9.0 Release Notes) deprecating the PipelineRun spec.serviceAccount in favour of the spec.serviceAccountName you're using in your examples. Due to timing reasons, our 4.3.0 client side fix for this change didn't make it in for 4.3.0 GA and went in shortly after into a bug fix release. Essentially what is happening at a code-level is we are not properly copying your serviceAccountName over and the Operator is filling in the lack of one with the default service account.
Sorry for the inconvenience this has caused. Hopefully this is of some help and you can upgrade your OpenShift version to get the fix.
If you have any further inquiries regarding this, please let me know.
I think we can close this issue as it seems to have a resolution. If you have any questions or concerns about this @Cottonglow please don't hesitate to reply here or create a new issue.
Thanks!