tanzu services class-claims get postgresql-1 reports: resource not ready and claims fails

[cmoulliard]

Issue

When we try to claim a service tanzu service class-claim create postgresql-1 --class postgresql-unmanaged -n demo3 as documented here: https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.5/tap/services-toolkit-tutorials-working-with-bitnami-services.html then the message reported by tanzu services class-claims get postgresql-1 --namespace demo3 is always resource not ready and claims fails.

This problem is related to a RBAC issue for the user system:serviceaccount:crossplane-system:crossplane :

resource: objects.kubernetes.crossplane.io is forbidden: User "system:serviceaccount:crossplane-system:crossplane" cannot create resource "objects" in API group "kubernetes.crossplane.io" at the cluster scope
  Warning  ComposeResources         22m (x4 over 22m)    defined/compositeresourcedefinition.apiextensions.crossplane.io  composed resource "1": cannot use dry-run create to name composed resource: releases.helm.crossplane.io is forbidden: User "system:serviceaccount:crossplane-system:crossplane" cannot create resource "releases" in API group "helm.crossplane.io" at the cluster scope

This error is reported within the resource:

API Version:  bitnami.database.tanzu.vmware.com/v1alpha1
Kind:         XPostgreSQLInstance

The root cause is related to the fact that the providers are not installed properly as their RBAC are not listed here:

k get clusterrole -l rbac.crossplane.io/aggregate-to-crossplane="true"
NAME                                                                                                  CREATED AT
crossplane:composite:xmysqlinstances.bitnami.database.tanzu.vmware.com:aggregate-to-crossplane        2023-04-19T14:37:53Z
crossplane:composite:xpostgresqlinstances.bitnami.database.tanzu.vmware.com:aggregate-to-crossplane   2023-04-19T14:37:55Z
crossplane:composite:xrabbitmqclusters.bitnami.messaging.tanzu.vmware.com:aggregate-to-crossplane     2023-04-19T14:37:55Z
crossplane:composite:xredisclusters.bitnami.caching.tanzu.vmware.com:aggregate-to-crossplane          2023-04-19T14:37:53Z
crossplane:system:aggregate-to-crossplane                                                             2023-04-19T14:36:24Z

We should see:

k get clusterrole -l rbac.crossplane.io/aggregate-to-crossplane="true"
NAME                                                                                     CREATED AT
crossplane:composite:xmysqlinstances.database.example.org:aggregate-to-crossplane        2023-03-10T21:08:00Z
crossplane:composite:xpostgresqlinstances.database.example.org:aggregate-to-crossplane   2023-03-10T21:08:00Z
crossplane:composite:xrabbitmqclusters.messaging.example.org:aggregate-to-crossplane     2023-04-13T14:25:55Z
crossplane:composite:xredisclusters.caching.example.org:aggregate-to-crossplane          2023-03-10T21:08:00Z
crossplane:provider:provider-aws-2df294a101af:aggregate-to-edit                          2023-04-04T19:40:25Z
crossplane:provider:provider-helm-e19bbae44e06:aggregate-to-edit                         2023-03-10T21:04:00Z
crossplane:provider:provider-kubernetes-9a70983f5805:aggregate-to-edit                   2023-03-10T21:04:00Z
crossplane:system:aggregate-to-crossplane

When we check the status of one of the provider, we found the root cause

k describe provider/provider-helm
Name:         provider-helm
Namespace:
Labels:       kapp.k14s.io/app=1681914983065673828
              kapp.k14s.io/association=v1.86fd531cb819e568414d740a989a09c1
Annotations:  kapp.k14s.io/identity: v1;/pkg.crossplane.io/Provider/provider-helm;pkg.crossplane.io/v1
              kapp.k14s.io/original:
                {"apiVersion":"pkg.crossplane.io/v1","kind":"Provider","metadata":{"annotations":{"kbld.k14s.io/images":"- origins:\n  - preresolved:\n   ...
              kapp.k14s.io/original-diff-md5: 691da2670b73a94447a7f58f4e9e59d1
              kbld.k14s.io/images:
                - origins:
                  - preresolved:
                      url: kind-registry:5000/tap/tap-packages@sha256:a3a14b07b79a8983257d1a2cc0449a4806753868178055554cfa38de7b649467
                  url: kind-registry:5000/tap/tap-packages@sha256:a3a14b07b79a8983257d1a2cc0449a4806753868178055554cfa38de7b649467
API Version:  pkg.crossplane.io/v1
Kind:         Provider
Metadata:
  Creation Timestamp:  2023-04-19T14:36:26Z
  Generation:          1
  Resource Version:    3927
  UID:                 31307545-cb35-4fe5-8730-e329422d285b
Spec:
  Controller Config Ref:
    Name:                         provider-helm
  Ignore Crossplane Constraints:  false
  Package:                        kind-registry:5000/tap/tap-packages:provider-helm@sha256:a3a14b07b79a8983257d1a2cc0449a4806753868178055554cfa38de7b649467
  Package Pull Policy:            IfNotPresent
  Package Pull Secrets:
    Name:                      registry-creds
  Revision Activation Policy:  Automatic
  Revision History Limit:      1
  Skip Dependency Resolution:  false
Events:
  Type     Reason         Age                   From                                 Message
  ----     ------         ----                  ----                                 -------
  Warning  UnpackPackage  2m6s (x894 over 14h)  packages/provider.pkg.crossplane.io  cannot unpack package: failed to fetch package digest from remote: failed to fetch package descriptor with a GET request after a previous HEAD request failure: Get "https://kind-registry:5000/v2/": x509: certificate signed by unknown authority: Get "https://kind-registry:5000/v2/": x509: certificate signed by unknown authority

Question: Can the crossplane package use the shared -> ca_cert_data certificate : https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.5/tap/install.html#full-profile-3?

How To reproduce

• Create a VM (fedora, centos, ...)
• Install docker, kind
• Export the different parameters: se README.md
• Execute the following bash command ./scripts/tap. sh install using this script:https://github.com/halkyonio/tap/blob/1baeef2a83b94a19e3a65520cb944d5c7022b7e2/scripts/tap.sh