https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# elemental
a
This message was deleted.
s
are you sure the elemental-operator is actually installed? This message is likely to appear if you install the elemental-ui extension without installing the elemental-operator controller.
a
This message contains interactive elements.
m
Hey Marco ๐Ÿ‘‹ ๐Ÿค” so, did you solved it?
a
I solved on how to install elemental using ArgoCD, at least found a solution but need to document a bit a provide some feedback to the elemental team. The only thing that is not working is the Dashboard.
m
Thank you, also for opening an issue. I am going to try to reproduce it today ๐Ÿ‘
a
Big issue from my side was that the OCI images are not usable in an ArgoCD deployment. Will also create an issue for that. Maybe it helps other people.
s
I guess you refer to OCI images for the helm chart only, right?
a
Yes indeed!!
๐Ÿ‘ 1
Should be more clear ๐Ÿ™‚
m
well, that's fine, we already planned to change the place for the charts
Marco, can you share which version of rancher have you installed? Moreover, would like to double check: did you take the charts from the opensuse OCI registry?
a
This message contains interactive elements.
I did take the charts from the OCI registry but needed to unpack and create a .tgz file being able to install them. Both the CRDs and the Operator
m
Ok, thanks ๐Ÿ™‚
a
Could be some leftovers from previous installs but i just cannot just delete the entire K8S cluster including rancher and start fresh
Just created a MachineRegistration / Seed Image etc.. so all seems to work ok until now. Only the dashboard does not popup nicely for the OS Management
m
So, you upgraded from the previous stable version, both operator and ui, right?
trying to reproduce the issue
a
Nope, started fresh and somehow I got into this situation. Installed wrong Helm charts from the GitHub repo
Needed to refresh the admin password etc
m
๐Ÿค” what do you mean with "wrong" helm charts?
a
Installed the Helm charts that are in the GitRepo themselves (https://github.com/rancher/elemental-operator/releases) took the 
elemental-operator-1.2.5.tgz
and 
elemental-operator-crds-1.2.5.tgz
Because the OCI images in the documentation are not usable in my case
Bu the Helm charts in the releases are totally different then the ones in the OCI registry
m
Well, I would expect them to work anyway ๐Ÿค” So, you installed the github charts and the UI issue popped out?
a
That is my guess.. after that deleted the Helm release and installed the correct HELM charts
Using the unpacked OCI images
m
๐Ÿค” This issue is weird, will try to follow your steps on a clean system
a
I wonder if it can reproduced ๐Ÿ™‚
Just a strange mixup of couple of things.
But would be nice to understand what the UI is actually missing to show the correct content
m
The user you use to connect to the dashboard is the rancher admin, right?
a
Yep! Indeed the local admin
m
so, this is weird
a
We ran in the situation that we also needed to reset the admin password
m
why?
a
The password was not generated somehow, we deployed Rancher a couple of times after that with โ€™bootPasswordโ€ that also did not work, so we needed to execute a reset of the password
m
mmm, so it maybe an issue with the admin user... which didn't get the permissions for the Elemental Operator too
a
The UI of the local cluster is behaving normal. It is just the Elemental dashboard rest works great
m
ok
a
We made a mess out of it ๐Ÿ™‚
m
I need to dig a bit more in the user permissions and the Elemental UI plugin accesss, I will be back to you later ๐Ÿ™‚
๐Ÿ‘ 1
Questo messaggio contiene elementi interattivi.
You can try to just create a brand new administrator user from the Rancher UI, that will have all the permissions
Otherwise, regular users should get the Elemental Administrator permissions
Questo messaggio contiene elementi interattivi.
under the hood, this creates a GlobalRoleBinding matching the GlobalRole (elemental-operator) to the User. So, if your user has name "u-myuser", something like:
Copy code
apiVersion: <http://management.cattle.io/v3|management.cattle.io/v3>
globalRoleName: elemental-operator
kind: GlobalRoleBinding
metadata:
  name: grb-elemtomyuser
userName: u-myuser
that would grant the permissions. Anyway, I would do that through the Rancher UI, as it will correctly populate all the annotations and metadata to have a clean configuration there.
So, I would create a new admin user from Rancher UI
logout and login with it
check if everything works
a
Will do that first thing tomorrow morning! Will keep you updated!
m
thanks! ๐Ÿ™‚
a
This message contains interactive elements.
@many-tiger-3407 So a normal Admin seems to be the problem.. A normal user with Elemental Administrator rights can see the dashboard.
An admin user with also the 
Elemental Administrator
checked also does not seem to work..
m
๐Ÿค” this is weird
@acceptable-belgium-2684, I have taken a look at the Admin roles in Rancher: admin users are granted a GlobalRoleBinding against the Admin GlobalRole. The Admin GlobalRole as rules to match all kind of resources with all kind of operations. On a fresh Rancher cluster it looks like:
Copy code
apiVersion: <http://management.cattle.io/v3|management.cattle.io/v3>
builtin: true
description: ""
displayName: Admin
kind: GlobalRole
metadata:
  annotations:
    <http://authz.management.cattle.io/cr-name|authz.management.cattle.io/cr-name>: cattle-globalrole-admin
    <http://lifecycle.cattle.io/create.mgmt-auth-gr-controller|lifecycle.cattle.io/create.mgmt-auth-gr-controller>: "true"
  creationTimestamp: "2023-07-03T15:25:56Z"
  finalizers:
  - <http://controller.cattle.io/mgmt-auth-gr-controller|controller.cattle.io/mgmt-auth-gr-controller>
  generation: 1
  labels:
    <http://authz.management.cattle.io/bootstrapping|authz.management.cattle.io/bootstrapping>: default-globalrole
    <http://cattle.io/creator|cattle.io/creator>: norman
  name: admin
  resourceVersion: "1909"
  uid: 7592bf41-906a-4717-95e6-0f935ada0627
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'
As you can see, it allows access to all kind of resources, Elemental included.
Not sure what happened on your cluster ๐Ÿค” But I would expect admin users to have a GlobalRoleBinding matching against the Admin GlobalRole, that should be like above.
I honestly cannot see any issue with elemental: we provide the elemental-operator global role for not admin users, while admin ones should be granted access by the default Admin - match-all-resources global role.
I would review the RBAC rules on your cluster, probably something is not right there... still wondering what could have happened ๐Ÿค”
๐Ÿ‘ 1
a
I am gonna review all! Thanks for the help sofar!!!
12 Views
Open in Slack
PreviousNext
Powered by