When testing with OLMv1, followed by installing with OLMv0, I was able to encounter this startup crash:
2025-08-15T21:11:46Z ERROR setup problem running manager {"error": "consoleplugins.console.openshift.io \"cryostat-plugin\" is forbidden: cannot set an ownerRef on a resource you can't delete: , <nil>"}
main.main
/remote-source/app/internal/main.go:241
runtime.main
/usr/lib/golang/src/runtime/proc.go:283
The Console Plugin still exists from the OLMv1 install and is unowned, I'm guessing we failed to find a ClusterRoleBinding to make owner. We're probably making some assumptions here that do not work for OLMv1:
|
func (r *PluginInstaller) findOwner(ctx context.Context) (*rbacv1.ClusterRoleBinding, error) { |
|
// Use the plugin's ClusterRoleBinding as an owner. |
|
// Since the binding is managed by OLM, this will cause the ConsolePlugin |
|
// to be garbage collected when the operator is uninstalled. |
|
// We could use any OLM-managed object as owner, but since ConsolePlugin |
|
// is cluster-scoped, the owner must also be cluster-scoped. |
|
|
|
// Look up the operator's deployment, which should have been installed by OLM |
|
deploy := &appsv1.Deployment{} |
|
err := r.Client.Get(ctx, types.NamespacedName{Name: constants.OperatorDeploymentName, Namespace: r.Namespace}, deploy) |
|
if err != nil { |
|
return nil, err |
|
} |
|
|
|
// OLM should have placed these labels on the deployment, which should have the |
|
// same value on the ClusterRoleBindings it installed for our operator. |
|
keys := []string{"olm.owner", "olm.owner.kind", "olm.owner.namespace"} |
|
selector := labels.Set{} |
|
for _, key := range keys { |
|
value, pres := deploy.Labels[key] |
|
if !pres { |
|
return nil, fmt.Errorf("could not find OLM label \"%s\"", key) |
|
} |
|
selector[key] = value |
|
} |
|
|
|
// Get a list of all ClusterRoleBindings whose labels point to |
|
// our operator. |
|
bindings := &rbacv1.ClusterRoleBindingList{} |
|
err = r.Client.List(ctx, bindings, &client.ListOptions{ |
|
LabelSelector: selector.AsSelector(), |
|
}) |
|
if err != nil { |
|
return nil, err |
|
} |
|
|
|
// Look for the ClusterRoleBinding that corresponds to the |
|
// OpenShift Console plugin. |
|
for i, binding := range bindings.Items { |
|
for _, subject := range binding.Subjects { |
|
if subject.Name == constants.ConsoleServiceAccountName && subject.Kind == "ServiceAccount" { |
|
return &bindings.Items[i], nil |
|
} |
|
} |
|
} |
|
return nil, errors.New("could not find console plugin cluster role") |
|
} |
The easy fix is to add delete permissions for ConsolePlugins, but we should also look at updating that findOwner logic to work for OLMv1 as well.
