Open
Description
SUMMARY
We have a role to create/delete Openshift projects that has been working fine for many Ansible releases. But when attempting to upgrade to Ansible 7, it suddenly fails when attempting to create a new project. The Openshift project API is very confusing, and not idempotent, but this used to work. To create an Openshift project, a user must CREATE a ProjectRequest, which will make the cluster create a new Project (Namespace). This may only happen once, and a user is not allowed to modify (PATCH) any of the project resources.
With Ansible 7, the attempt to create the project fails with the following error (example):
TASK [openshift_project : Create ProjectRequest] *******************************
fatal: [kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com]: FAILED! => changed=false
msg: 'Failed to patch object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"projectrequests.project.openshift.io \\"kafka-rev-ansible-7-g5cfyt\\" is forbidden: User \\"system:serviceaccount:kafka:gitlab\\" cannot patch resource \\"projectrequests\\" in API group \\"project.openshift.io\\" at the cluster scope","reason":"Forbidden","details":{"name":"kafka-rev-ansible-7-g5cfyt","group":"project.openshift.io","kind":"projectrequests"},"code":403}\n'''
reason: Forbidden
ISSUE TYPE
- Bug Report
COMPONENT NAME
kubernetes.core.k8s
ANSIBLE VERSION
ansible [core 2.14.5]
config file = None
configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.11.3 (main, May 4 2023, 05:53:32) [GCC 10.2.1 20210110] (/usr/local/bin/python)
jinja version = 3.1.2
libyaml = True
COLLECTION VERSION
# /usr/local/lib/python3.11/site-packages/ansible_collections
Collection Version
--------------- -------
kubernetes.core 2.4.0
CONFIGURATION
ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True
CONFIG_FILE() = None
DEFAULT_HOST_LIST(env: ANSIBLE_INVENTORY) = ['/builds/kafka/provisioning/k8s/inventories/review.yml']
DEFAULT_LOAD_CALLBACK_PLUGINS(env: ANSIBLE_LOAD_CALLBACK_PLUGINS) = True
DEFAULT_ROLES_PATH(env: ANSIBLE_ROLES_PATH) = ['/builds/kafka/provisioning/k8s/roles']
DEFAULT_STDOUT_CALLBACK(env: ANSIBLE_STDOUT_CALLBACK) = yaml
HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False
INTERPRETER_PYTHON(env: ANSIBLE_PYTHON_INTERPRETER) = auto
OS / ENVIRONMENT
N/A
STEPS TO REPRODUCE
Pre-requirements: An Openshift cluster with self-provisioner access. The project/namespace that we attempt to create must NOT already exist.
- name: Create ProjectRequest
kubernetes.core.k8s:
api_version: project.openshift.io/v1
kind: ProjectRequest
name: "{{ kubernetes_namespace }}"
resource_definition:
description: "{{ kubernetes_namespace_description }}"
displayName: "{{ kubernetes_namespace_display_name }}"EXPECTED RESULTS
The project request is CREATED in the Openshift API without error.
ACTUAL RESULTS
The attempt to create the project request fails with error (example): msg: 'Failed to patch object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"projectrequests.project.openshift.io \\"kafka-rev-ansible-7-g5cfyt\\" is forbidden: User \\"system:serviceaccount:kafka:gitlab\\" cannot patch resource \\"projectrequests\\" in API group \\"project.openshift.io\\" at the cluster scope","reason":"Forbidden","details":{"name":"kafka-rev-ansible-7-g5cfyt","group":"project.openshift.io","kind":"projectrequests"},"code":403}\n''' reason: Forbidden. Note: the project is actually created by this failing task.
TASK [openshift_project : Create ProjectRequest] *******************************
task path: /builds/kafka/provisioning/k8s/roles/openshift_project/tasks/main.yml:37
redirecting (type: filter) ansible.builtin.json_query to community.general.json_query
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> ESTABLISH LOCAL CONNECTION FOR USER: ansible
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c 'echo ~ansible && sleep 0'
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ansible/.ansible/tmp `"&& mkdir "` echo /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677 `" && echo ansible-tmp-1684583776.8747976-142-179954988027677="` echo /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677 `" ) && sleep 0'
Loading collection cloud.common from /usr/local/lib/python3.11/site-packages/ansible_collections/cloud/common
Using module file /usr/local/lib/python3.11/site-packages/ansible_collections/kubernetes/core/plugins/modules/k8s.py
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> PUT /home/ansible/.ansible/tmp/ansible-local-96xec_0y7q/tmp9_a4lciu TO /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/AnsiballZ_k8s.py
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c 'chmod u+x /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/ /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/AnsiballZ_k8s.py && sleep 0'
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c '/usr/bin/python3 /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/AnsiballZ_k8s.py && sleep 0'
<kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com> EXEC /bin/sh -c 'rm -f -r /home/ansible/.ansible/tmp/ansible-tmp-1684583776.8747976-142-179954988027677/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/runner.py", line 68, in run_module
result = perform_action(svc, definition, module.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/runner.py", line 159, in perform_action
instance = svc.update(resource, definition, existing)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/service.py", line 426, in update
raise exception
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/service.py", line 413, in update
k8s_obj = self.patch_resource(
^^^^^^^^^^^^^^^^^^^^
File "/tmp/ansible_kubernetes.core.k8s_payload__jodf5af/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/k8s/service.py", line 165, in patch_resource
raise CoreException(msg) from e
fatal: [kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com]: FAILED! => changed=false
invocation:
module_args:
api_key: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
api_version: project.openshift.io/v1
append_hash: false
apply: false
ca_cert: null
client_cert: null
client_key: null
context: null
continue_on_error: false
delete_options: null
force: false
generate_name: null
host: https://api.stas-test.mycompany.com
impersonate_groups: null
impersonate_user: null
kind: ProjectRequest
kubeconfig: null
label_selectors: null
merge_type: null
name: kafka-rev-ansible-7-g5cfyt
namespace: kafka-rev-ansible-7-g5cfyt
no_proxy: null
password: null
persist_config: null
proxy: null
proxy_headers: null
resource_definition:
apiVersion: project.openshift.io/v1
description: ''
displayName: ''
kind: ProjectRequest
metadata:
name: kafka-rev-ansible-7-g5cfyt
namespace: kafka-rev-ansible-7-g5cfyt
server_side_apply: null
src: null
state: present
template: null
username: null
validate: null
validate_certs: null
wait: false
wait_condition: null
wait_sleep: 5
wait_timeout: 120
msg: 'Failed to patch object: b''{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"projectrequests.project.openshift.io \\"kafka-rev-ansible-7-g5cfyt\\" is forbidden: User \\"system:serviceaccount:kafka:gitlab\\" cannot patch resource \\"projectrequests\\" in API group \\"project.openshift.io\\" at the cluster scope","reason":"Forbidden","details":{"name":"kafka-rev-ansible-7-g5cfyt","group":"project.openshift.io","kind":"projectrequests"},"code":403}\n'''
reason: Forbidden
PLAY RECAP *********************************************************************
kafka-rev-ansible-7-g5cfyt.stas-test.mycompany.com : ok=1 changed=0 unreachable=0 failed=1 skipped=2 rescued=0 ignored=0
localhost : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0