Unhelpful "RequirementsNotMet" message when attempting to deploy Template Service Broker Operator CSV

[djwhatle]

My team has been working on writing a CSV that will allow the Template Service Broker (TSB) to be deployed via OLM.

Currently, you must deploy the TSB Operator in the openshift-template-service-broker namespace when deploying with OLM (this is probably a requirement for the TSB in general, I'm somewhat new to actually using it). It took me a while to realize this, because the error message that OLM spits out doesn't point towards the actual problem.

I see the following status on my CSV instance YAML if i try to deploy somewhere other than the openshift-template-service-broker namespace:

status:
  conditions:
    - lastTransitionTime: '2018-10-29T20:28:17Z'
      lastUpdateTime: '2018-10-29T20:28:17Z'
      message: requirements not yet checked
      phase: Pending
      reason: RequirementsUnknown
    - lastTransitionTime: '2018-10-29T20:28:17Z'
      lastUpdateTime: '2018-10-29T20:28:17Z'
      message: one or more requirements couldn't be found
      phase: Pending
      reason: RequirementsNotMet
  lastTransitionTime: '2018-10-29T20:28:17Z'
  lastUpdateTime: '2018-10-29T20:28:17Z'
  message: one or more requirements couldn't be found
  phase: Pending
  reason: RequirementsNotMet
  requirementStatus:
    - group: apiextensions.k8s.io
      kind: CustomResourceDefinition
      name: templateservicebrokers.osb.openshift.io
      status: Present
      uuid: 5c8facba-dbab-11e8-8b28-1866da0d45a8
      version: v1beta1
    - group: ''
      kind: ServiceAccount
      name: apiserver
      status: NotPresent
      version: v1
    - group: ''
      kind: ServiceAccount
      name: template-service-broker-operator
      status: NotPresent
      version: v1
    - group: ''
      kind: ServiceAccount
      name: template-service-broker-client
      status: NotPresent
      version: v1

However, I can verify manually that the 3 ServiceAccounts that are supposedly NotPresent do in fact exist.

[dwhatley@precision-t template-service-broker-operator]$ oc get sa -n myproject
NAME                               SECRETS   AGE
apiserver                          2         12m
builder                            2         1h
default                            2         1h
deployer                           2         1h
template-service-broker-client     2         12m
template-service-broker-operator   2         12m

And in fact, the installplan for the TSB shows that all of the required ServiceAccounts were created successfully:

As to why this is occurring, my unverified belief is that OpenShift has a hard-coded security policy which allows the TSB to function properly only in the designated openshift-template-service-broker namespace. I think this is necessary due to the high privilege level that the TSB operates at. Still working on getting more details about my "unverified belief", will post a comment here if I find something more concrete.

Here's a link to the CatalogSource where the TSB CSV (yay acronyms) I'm trying to deploy comes from: https://github.com/fusor/catasb/blob/fc14e50852f0cc36fbf6d61eca49012fe4476b00/ansible/roles/olm_setup/templates/osb-operators.configmap.upstream.yaml

[ecordell]

Hi @djwhatle, did you ever find any more information about this issue? We haven't seen this issue with any other operator installation, so I think it's unlikely to be an OLM bug that we need to track.

If you find that there are still issues we need to deal with, please re-open with the latest information. Thanks!