Skip to content

Latest commit

 

History

History
82 lines (60 loc) · 5.09 KB

TODO.md

File metadata and controls

82 lines (60 loc) · 5.09 KB

  • - document creation of pull secret for the SDI Registry and linking to an OCP service account

  • - do not rely on voracluster (optional component) for ensuring pull secret

  • - when build pods are pruned manually, right after the run of observer's run script, the following may happen:

      oc logs -n sdi-observer -f bc/sdi-observer
  Error from server (BadRequest): pods "sdi-observer-16-build" not found

  • - install jq from the regular RHEL8 repositories (rhocp-4.8-for-rhel-8-x86_64-rpms)

  • ensure clusterrolebinding to get clusteroperators/openshift-apiserver to get reliably OCP server version

  • - deploy-registry: do not redeploy if the image cannot be pulled

    • if image cannot be pulled (because e.g. registry lost the blobs), an endless loop begins

  • - switch to certman

  • - modify observer's jq script for vsystem-vrep patching like this:

      '. as $filtered | . +' \
  '[if isempty($filtered) then {' \
      '"metadata": {' \

    to

      '. as $filtered | . +' \
  '[if isempty($filtered[]) then {' \
      '"metadata": {' \

    after verifying it works; as it is, it always evaluates to false

  • - determine access mode in deploy-registry script

  • - inject CA certificate into newly created tenants

  • - filter out Not found messages like the following

      Error from server (NotFound): routes.route.openshift.io "vsystem" not found
  Error from server (NotFound): services "vsystem" not found
  Error from server (NotFound): secrets "ca-bundle.pem" not found
  Mon, 15 Mar 2021 15:05:52 +0000 Not creating vsystem route for the missing vsystem service...

  • - filter out Forbidden errors

      oc logs -n sdi-observer -f dc/sdi-observer
  Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io "sdi-observer-admin-in-sdi-observer" is forbidden: User "system:serviceaccount:sdi-observer:sdi-observer" cannot get resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
  Error from server (Forbidden): error when replacing "STDIN": clusterrolebindings.rbac.authorization.k8s.io "sdi-observer-admin-in-sdi-observer" is forbidden: User "system:serviceaccount:sdi-observer:sdi-observer" cannot update resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
  Mon, 15 Mar 2021 19:34:27 +0000 Not replacing ClusterRole/sdi-observer-cluster-access-in-sdi-observer created by "sdi-observer-template" with a new object created by "registry-deploy".
  Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io "sdi-observer-cluster-access-in-sdi-observer" is forbidden: User "system:serviceaccount:sdi-observer:sdi-observer" cannot get resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope

  • - fix: Error from server (NotFound): voraclusters.sap.com "vora" not found

      Names do not match (/vora != ). Something is terribly wrong!

  • - do not terminate observer when SDI or slcbridge namespaces are missing

  • - fix uninstallation

    • job datahub.checkpointstore-cleanup keeps restarting

      Tue, 29 Sep 2020 16:32:17 +0000 Service account datahub-postaction-sa in sdi namespace can already pull images from sdi-observer namespace. pod "datahub.checkpointstore-cleanup-bfd3c5-9f67d8-df2sd" deleted Error from server (NotFound): jobs.batch "datahub.checkpointstore-cleanup-bfd3c5-9f67d8" not found

  • - delete obsolete autogenerated secrets with a command like:

      # oc get secret -o json | jq -r  '.items |
      sort_by(.metadata.creationTimestamp) |
      [.[] | select((.metadata.annotations["kubernetes.io/service-account.name"] // "") |
                      test("^(sdi-observer|container-image-registry)$"))
      ] | group_by(.metadata.annotations["kubernetes.io/service-account.name"]) |
      [.[] | .[0:((. | length)-2)]] | flatten(1)[] |
          "\(.metadata.name): \(.metadata.creationTimestamp)"' | awk -F : '{print "secret/"$1}' | xargs -r oc delete

  • - prevent from the following build error:

      2m48s       Warning   BuildConfigInstantiateFailed   buildconfig/sdi-observer               error instantiating Build from BuildConfig sdi-observer/sdi-observer (0): Error resolving ImageStreamTag ubi9:latest in namespace sdi-observer: unable to find latest tagged image

    verify manual solution:

      oc tag --reference-policy=local --scheduled --source=docker registry.redhat.io/ubi9/ubi:latest ubi9:latest

  • - do not re-deploy registry each time the observer is restarted

  • - add job or webhook for observer's automated updates

  • - break resource handling in observer's loop into separate modules

  • - add job for updating registry's ca bundle in image config

    • make observer observe router-ca secret in openshift-ingress-operator namespace

  • - observer to grant necessary SCCs

  • - observer to granc admin role in sdi namespace to vora crd instance

  • - change RWO volumes to RWX where it makes sense