Deployment fails because che-operator SA cannot get resource oauth

[l0rd]

Describe the bug

Deploying Che using chectl (next channel) and the operator fails on an OCP 4.3 cluster with the following error in the operator logs:

...User \"system:serviceaccount:che-server:che-operator\" cannot get resource \"oauths\"...

Che version

nightly

Steps to reproduce

Deploy a new OCP 4.3 cluster, open a terminal and use oc to login as kubeadmin. Then:

1. Create some OpenShift users

export HTPASSWD_FILE=${HTPASSWD_FILE}
oc create secret generic htpasswd-secret --from-file=htpasswd=${HTPASSWD_FILE} -n openshift-config
oc patch oauth cluster -n openshift-config --type merge --patch "spec:
  identityProviders:
  - htpasswd:
      fileData:
        name: htpasswd-secret
    mappingMethod: claim
    name: htpasswd
    type: HTPasswd
"

2. Create a namespace named che-server

export CHE_SERVER_PROJECT="che-server" && \
oc create namespace "${CHE_SERVER_PROJECT}" && \
oc project "${CHE_SERVER_PROJECT}"

3. Deploy Che using chectl

chectl server:start --installer=operator \
                    --platform=openshift \
                    --os-oauth \
                    --self-signed-cert \
                    -n "${CHE_SERVER_PROJECT}"

Expected behavior

Che is successfully deployed

Runtime

Openshift 4.3.5:

$ oc version
Client Version: version.Info{Major:"4", Minor:"2+", GitVersion:"v4.2.0", GitCommit:"61fc89fab", GitTreeState:"clean", BuildDate:"2019-08-28T22:30:54Z", GoVersion:"go1.12.8", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.2", GitCommit:"b3bfb5a", GitTreeState:"clean", BuildDate:"2020-03-02T08:50:52Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}
OpenShift Version: 4.3.5

Installation method

$ chectl version
chectl/0.0.20200515-next.96decfd darwin-x64 node-v13.2.0
$ chectl server:start --installer=operator \
                    --platform=openshift \
                    --os-oauth \
                    --self-signed-cert \
                    -n che-server

Environment

OpenShfit dev cluster (AWS)

Eclipse Che Logs

Chectl logs

› Current Kubernetes context: 'che-server/api-mloriedo-mariodev-devcluster-openshift-com:6443/system:admin'
  ✔ Verify Kubernetes API...OK (it's OpenShift)
  ✔ 👀  Looking for an already existing Eclipse Che instance
    ✔ Verify if Eclipse Che is deployed into namespace "che-server"...it is not
  ✔ ✈️  Openshift preflight checklist
    ✔ Verify if oc is installed...done.
    ✔ Verify if openshift is running...done.
    ✔ Check OpenShift version: 4.x
    ✔ Check Kubernetes version: Unknown.
  ✔ Verify Openshift oauth....done.
Eclipse Che logs will be available in '/var/folders/zl/7r34pc494nz6z5kx5t9n2rh00000gn/T/chectl-logs/1589609037496'
  ✔ Start following logs
    ✔ Start following Operator logs...done
    ✔ Start following Eclipse Che logs...done
    ✔ Start following Postgres logs...done
    ✔ Start following Keycloak logs...done
    ✔ Start following Plugin registry logs...done
    ✔ Start following Devfile registry logs...done
  ✔ Start following events
    ✔ Start following namespace events...done
 ›   Warning: You can also use features rich 'OLM' installer to deploy Eclipse Che.
  ✔ 🏃‍  Running the Eclipse Che operator
    ✔ Copying operator resources...done.
    ✔ Create Namespace (che-server)...It already exists.
    ↓ Checking certificate [skipped]
    ✔ Create ServiceAccount che-operator in namespace che-server...done.
    ✔ Create Role che-operator in namespace che-server...done.
    ✔ Create ClusterRole che-operator...done.
    ✔ Create RoleBinding che-operator in namespace che-server...done.
    ✔ Create ClusterRoleBinding che-operator...done.
    ✔ Create CRD checlusters.org.eclipse.che...done.
    ✔ Waiting 5 seconds for the new Kubernetes resources to get flushed...done.
    ✔ Create deployment che-operator in namespace che-server...done.
    ✔ Create Eclipse Che cluster eclipse-che in namespace che-server...done.
  ❯ ✅  Post installation checklist
    ❯ PostgreSQL pod bootstrap
      ✖ scheduling
        → ERR_TIMEOUT: Timeout set to pod wait timeout 300000. podExist: false, currentPhase: undefined
        downloading images
        starting
      Keycloak pod bootstrap
      Devfile registry pod bootstrap
      Plugin registry pod bootstrap
      Eclipse Che pod bootstrap
      Retrieving Eclipse Che server URL
      Eclipse Che status check
    Retrieving Keycloak admin credentials
    Retrieving Che self-signed CA certificate
 ›   Error: Error: ERR_TIMEOUT: Timeout set to pod wait timeout 300000. podExist: false, currentPhase: undefined
 ›   Installation failed, check logs in '/var/folders/zl/7r34pc494nz6z5kx5t9n2rh00000gn/T/chectl-logs/1589609037496'

Operator Logs

time="2020-05-16T06:04:23Z" level=info msg="Default 'info' log level is applied"
time="2020-05-16T06:04:23Z" level=info msg="Go Version: go1.12.12"
time="2020-05-16T06:04:23Z" level=info msg="Go OS/Arch: linux/amd64"
time="2020-05-16T06:04:23Z" level=info msg="operator-sdk Version: v0.5.0"
time="2020-05-16T06:04:23Z" level=info msg="Operator is running on OpenShift v4.x"
time="2020-05-16T06:04:23Z" level=info msg="Registering Che Components Types"
time="2020-05-16T06:04:23Z" level=info msg="Starting the Cmd"
time="2020-05-16T06:04:23Z" level=error msg="Unable to get openshift oauth. Cause: oauths.config.openshift.io \"cluster\" is forbidden: User \"system:serviceaccount:che-server:che-operator\" cannot get resource \"oauths\" in API group \"config.openshift.io\" at the cluster scope"
time="2020-05-16T06:04:23Z" level=info msg="Updating eclipse-che CR with status: Reason: InstallOrUpdateFailed"
time="2020-05-16T06:04:23Z" level=info msg="Custom resource eclipse-che updated"
time="2020-05-16T06:04:23Z" level=info msg="Updating eclipse-che CR with status: Message: Unable to get openshift oauth. Cause: oauths.config.openshift.io \"cluster\" is forbidden: User \"system:serviceaccount:che-server:che-operator\" cannot get resource \"oauths\" in API group \"config.openshift.io\" at the cluster scope"
time="2020-05-16T06:04:23Z" level=info msg="Custom resource eclipse-che updated"
time="2020-05-16T06:04:24Z" level=error msg="Unable to get openshift oauth. Cause: oauths.config.openshift.io \"cluster\" is forbidden: User \"system:serviceaccount:che-server:che-operator\" cannot get resource \"oauths\" in API group \"config.openshift.io\" at the cluster scope"
time="2020-05-16T06:04:25Z" level=error msg="Unable to get openshift oauth. Cause: oauths.config.openshift.io \"cluster\" is forbidden: User \"system:serviceaccount:che-server:che-operator\" cannot get resource \"oauths\" in API group \"config.openshift.io\" at the cluster scope"

[l0rd]

This problem is addressed in eclipse-che/che-operator@03978b3 but yarn.lock was not updated to fetch the latest templates in chectl. I have opened che-incubator/chectl#708 to fix that.