Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rgw: fix blockOwnerDeletion error #9441

Merged
merged 1 commit into from Dec 17, 2021
Merged

rgw: fix blockOwnerDeletion error #9441

merged 1 commit into from Dec 17, 2021

Conversation

crd1985
Copy link
Contributor

@crd1985 crd1985 commented Dec 16, 2021

See https://sdk.operatorframework.io/docs/faqs/ for further reference

Signed-off-by: Daniel Ruiz Capilla crd1985@gmail.com

Description of your changes:
This PR adds a missing role to allow the object controller update the finalizers section in OBC and OB. Otherwise, an error like secrets \"my-bucket\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: is thrown in the operator log.

This error raises when the plugin OwnerReferencesPermissionEnforcement is enabled (OKD 4.8 in bare metal in my use case).

See https://sdk.operatorframework.io/docs/faqs/#after-deploying-my-operator-why-do-i-see-errors-like-is-forbidden-cannot-set-blockownerdeletion-if-an-ownerreference-refers-to-a-resource-you-cant-set-finalizers-on- for further reference.

Which issue is resolved by this Pull Request:
Resolves #

Checklist:

  • Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide.
  • Skip Tests for Docs: Add the flag for skipping the build if this is only a documentation change. See here for the flag.
  • Skip Unrelated Tests: Add a flag to run tests for a specific storage provider. See test options.
  • Reviewed the developer guide on Submitting a Pull Request
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.
  • Pending release notes updated with breaking and/or notable changes, if necessary.
  • Upgrade from previous release is tested and upgrade user guide is updated, if necessary.
  • Code generation (make codegen) has been run to update object specifications, if necessary.

This restores the missing permissions to allow the object controller to
update the finalizers section in the spec. See https://sdk.operatorframework.io/docs/faqs/

Signed-off-by: Daniel Ruiz Capilla <crd1985@gmail.com>
Copy link
Contributor

@thotz thotz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change look clean to me.

@@ -464,6 +464,11 @@ rules:
verbs:
# OBC controller updates OBC and OB statuses
- update
- apiGroups: ["objectbucket.io"]
resources: ["objectbucketclaims/finalizers", "objectbuckets/finalizers"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about if you add these two resources to line 463 above instead of creating a new api group?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, even thought it's more lines of config, I think it reads better to have these be separate sections. That way, finalizers are independent of status if anything needs to change in the future. Generally speaking, I think this will help keep the permissions more minimal in the long-term.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same thoughts for me as @BlaineEXE, but I can change it however you decide it's better. Let me know if you still think it's better to recombine the two api groups.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's functionally the same, so I'm fine going with this for now.

@@ -464,6 +464,11 @@ rules:
verbs:
# OBC controller updates OBC and OB statuses
- update
- apiGroups: ["objectbucket.io"]
resources: ["objectbucketclaims/finalizers", "objectbuckets/finalizers"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's functionally the same, so I'm fine going with this for now.

@travisn travisn merged commit 4c45856 into rook:master Dec 17, 2021
satoru-takeuchi added a commit that referenced this pull request Dec 20, 2021
ceph: fix blockOwnerDeletion error (backport #9441)
@travisn travisn changed the title ceph: fix blockOwnerDeletion error rgw: fix blockOwnerDeletion error Jan 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants