#8659 openshift: allow for users to be able to start a rollout of a deployment
Opened 11 months ago by dustymabe. Modified 2 days ago

Describe what you would like us to do:


This is similar to https://pagure.io/fedora-infrastructure/issue/8005. It would be nice if we could just click to start a new deployment in the web interface or from the CLI:

$ oc -n coreos-ostree-importer rollout latest coreos-ostree-importer
Error from server (Forbidden): deploymentconfigs.apps.openshift.io "coreos-ostree-importer" is forbidden: User "dustymabe" cannot update deploymentconfigs.apps.openshift.io in the namespace "coreos-ostree-importer": no RBAC policy matche
d

I think maybe this would do it:

diff --git a/roles/openshift/project/templates/role-appowners.yml b/roles/openshift/project/templates/role-appowners.yml
index 3cb94c542..59642ad9a 100644
--- a/roles/openshift/project/templates/role-appowners.yml
+++ b/roles/openshift/project/templates/role-appowners.yml
@@ -80,6 +80,7 @@ rules:
   resources:
   - buildconfigs/instantiate
   - builds
+  - deploymentconfigs
   verbs:
   - create
   - update

Sure, but note this is done already in playbooks, so if you run the playbook again it will do a rollout.

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: OpenShift

11 months ago

If we grant this does that people can edit deploymentconfig? we don't want that, we want to make sure ansible has the actual source of truth deploymentconfig.

Will the rollout from the playbook be sufficent here? Perhaps with a variable to just rollout?

If we grant this does that people can edit deploymentconfig? we don't want that, we want to make sure ansible has the actual source of truth deploymentconfig.

I don't know

Will the rollout from the playbook be sufficent here? Perhaps with a variable to just rollout?

It's a real big pain when you are already logged in to the web interface and there could be a button right in front of you to click to instead have to go log in to a machine find a specially crafted command to run and run it as well as authenticate with password/token.

Metadata Update from @smooge:
- Issue tagged with: high-trouble, low-gain, ops

2 months ago

I am considering not changing this in the template, but adding it as an extra configuration for the project config? You could then easily see which projects can diverge (if we wen't the route of just making deployment config writable) :-)

Metadata Update from @asaleh:
- Issue assigned to asaleh

2 days ago

I am considering not changing this in the template, but adding it as an extra configuration for the project config? You could then easily see which projects can diverge (if we wen't the route of just making deployment config writable) :-)

But we don't want that. We want it to be so anytime our openshift cluster disappears, we could setup a new one and deploy the exact same app from ansible.

If we edit deploymentconfig outside of ansible something could be running thats completely different from what ansible has. :(

I'm not sure what it would be changing tho, just the generation number?

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog