#8659 openshift: allow for users to be able to start a rollout of a deployment
Closed: Fixed 14 days ago by kevin. Opened a year ago by dustymabe.

Describe what you would like us to do:


This is similar to https://pagure.io/fedora-infrastructure/issue/8005. It would be nice if we could just click to start a new deployment in the web interface or from the CLI:

$ oc -n coreos-ostree-importer rollout latest coreos-ostree-importer
Error from server (Forbidden): deploymentconfigs.apps.openshift.io "coreos-ostree-importer" is forbidden: User "dustymabe" cannot update deploymentconfigs.apps.openshift.io in the namespace "coreos-ostree-importer": no RBAC policy matche
d

I think maybe this would do it:

diff --git a/roles/openshift/project/templates/role-appowners.yml b/roles/openshift/project/templates/role-appowners.yml
index 3cb94c542..59642ad9a 100644
--- a/roles/openshift/project/templates/role-appowners.yml
+++ b/roles/openshift/project/templates/role-appowners.yml
@@ -80,6 +80,7 @@ rules:
   resources:
   - buildconfigs/instantiate
   - builds
+  - deploymentconfigs
   verbs:
   - create
   - update

Sure, but note this is done already in playbooks, so if you run the playbook again it will do a rollout.

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: OpenShift

a year ago

If we grant this does that people can edit deploymentconfig? we don't want that, we want to make sure ansible has the actual source of truth deploymentconfig.

Will the rollout from the playbook be sufficent here? Perhaps with a variable to just rollout?

If we grant this does that people can edit deploymentconfig? we don't want that, we want to make sure ansible has the actual source of truth deploymentconfig.

I don't know

Will the rollout from the playbook be sufficent here? Perhaps with a variable to just rollout?

It's a real big pain when you are already logged in to the web interface and there could be a button right in front of you to click to instead have to go log in to a machine find a specially crafted command to run and run it as well as authenticate with password/token.

Metadata Update from @smooge:
- Issue tagged with: high-trouble, low-gain, ops

5 months ago

I am considering not changing this in the template, but adding it as an extra configuration for the project config? You could then easily see which projects can diverge (if we wen't the route of just making deployment config writable) :-)

Metadata Update from @asaleh:
- Issue assigned to asaleh

4 months ago

I am considering not changing this in the template, but adding it as an extra configuration for the project config? You could then easily see which projects can diverge (if we wen't the route of just making deployment config writable) :-)

But we don't want that. We want it to be so anytime our openshift cluster disappears, we could setup a new one and deploy the exact same app from ansible.

If we edit deploymentconfig outside of ansible something could be running thats completely different from what ansible has. :(

I'm not sure what it would be changing tho, just the generation number?

How about we set it up like the way we setup deleting projects? ie, it's a nomatch tag you can pass in the playbook if you want to deploy?

For allowing a rollout only (without editing the dc) you can use the following rule :

- apiGroups:
  - apps.openshift.io
  resources:
  - deploymentconfigs/instantiate
  verbs:
  - create

Merged the PR. This will need app owners to re-run their playbook, but should be there after that. :)

Many thanks @darknao

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

14 days ago

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Done
Related Pull Requests
  • #555 Merged 14 days ago