Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Operator upgrade 1.22.1 -> 1.22.2 -> 1.23.1 fails due to missing CRB #4518

Open
4 tasks done
tothf opened this issue May 13, 2024 · 0 comments
Open
4 tasks done

[Bug]: Operator upgrade 1.22.1 -> 1.22.2 -> 1.23.1 fails due to missing CRB #4518

tothf opened this issue May 13, 2024 · 0 comments
Assignees
@gbartolini
Labels
triage Pending triage

Comments

@tothf
Copy link

tothf commented May 13, 2024
edited

Is there an existing issue already for this bug?

  • I have searched for an existing issue, and could not find anything. I believe this is a new bug.

I have read the troubleshooting guide

  • I have read the troubleshooting guide and I think this is a new bug.

I am running a supported version of CloudNativePG

  • I have read the troubleshooting guide and I think this is a new bug.

Contact Details

No response

Version

1.23.0

What version of Kubernetes are you using?

1.27

What is your Kubernetes environment?

Other

How did you install the operator?

Other

What happened?

We are running CNPG on Openshift. We have updated a lab instance, Openshift 4.13.25, from 1.22.2 to 1.23.1 without issues.
We have an Openshift 4.14.17 where we had CNPG Operator 1.22.1 installed, all fine. We have upgraded the instance to 1.22.2, no issues. After the upgrade finished, all pods were up, we upgraded the operator to 1.23.1. Cluster instances were not started to be upgraded. We have checked and the controller-manager deployment complained that the cnpg-manager service account does not have permission to list ClusterImageCatalogs.
The reason was that the ClusterImageCatalogs access is a simple Role applied as a RoleBinding that allows only the namespace where the operator is installed.
The problem is that the ClusterImageCatalogs CRD instances are not created in any namespace but on the cluster level.
As a workaround, we have created a ClusterRole with the same ClusterImageCatalogs access (get, list, watch) and a ClusterRoleBinding for cnpg-manager SA. Once we applied the upgrade was completed successfully.
Sorry, the logs were purged when the upgrade succeeded hence I cannot attach them.

Code to apply workaround:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cnpg-clusterimagecatalogs
rules:
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - postgresql.cnpg.io
    resources:
      - clusterimagecatalogs
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cnpg-clusterimagecatalogs
subjects:
  - kind: ServiceAccount
    name: cnpg-manager
    namespace: postgres
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cnpg-clusterimagecatalogs

Cluster resource

No response

Relevant log output

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@tothf tothf added the triage Pending triage label May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gbartolini gbartolini

Labels
triage Pending triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gbartolini @tothf