chaining builds via imagestreamtags not triggering

[twhiston]

I'm trying to start a custom strategy build when an image stream tag changes (chaining builds), but currently this is not working, and the second build never seems to start. Not sure if i'm missing something obvious but it looks like it should work and it's basically the same as things like openshift-tagger do it, however whatever I do it doesn't seem to work.

Version

oc v3.7.0-alpha.1+fdbd3dc
kubernetes v1.7.0+695f48a16f
features: Basic-Auth

Server https://127.0.0.1:8443
openshift v3.7.0-alpha.1+fdbd3dc
kubernetes v1.7.0+695f48a16f

Steps To Reproduce

1. add some root build config that you want to trigger another build from, doesn't matter what.
2. create your chained bc similar to the following, in this case it's using the real image I am trying to use, which will get the latest image stream tag, retag it according to a label in openshift and push it to docker hub (but that shouldn't matter anyway)

kind: BuildConfig
apiVersion: v1
metadata:
  name: chained-tagger
  labels:
    application: my-project
spec:
  output:
    pushSecret:
      name: docker-hub
  strategy:
    type: "Custom"
    customStrategy:
      exposeDockerSocket: true
      from:
        kind: DockerImage
        name: tomwhiston/openshift-image-tagger
      forcePull: true
      env:
      - name: BUILD_IMAGE
        value: root-image-name
      - name: DEBUG
        value: "true"
      - name: OUTPUT_NAMESPACE
        value: "my-namespace"
      - name: PUSH_CLEANUP
        value: "true"
      - name: PUSH_IMAGE
        value: "true"
  triggers:
  - type: ImageChange
  - type: ImageChange
    imageChange:
      from:
        kind: ImageStreamTag
        name: my-project:latest

3. trigger root build

Current Result

After the root build is completed and the image stream tag is updated (checked with oc get imagestreamtag) the chained-tagger build is not triggered

Expected Result

chained-tagger build is started

[bparees]

please provide the root build config also.

[twhiston]

sure thing!

apiVersion: v1
kind: BuildConfig
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftNewApp
  creationTimestamp: '2017-10-27T15:52:26Z'
  labels:
    app: drupal-module-tester
  name: drupal-module-tester
  namespace: dmt
  resourceVersion: '175791'
  selfLink: /oapi/v1/namespaces/dmt/buildconfigs/drupal-module-tester
  uid: d43aa784-bb2e-11e7-a19b-c265e4cb071e
spec:
  failedBuildsHistoryLimit: 5
  nodeSelector: null
  output:
    to:
      kind: ImageStreamTag
      name: 'drupal-module-tester:latest'
  postCommit: {}
  resources: {}
  runPolicy: Serial
  source:
    git:
      ref: feature/version_variable
      uri: 'https://github.com/twhiston/drupal_module_tester.git'
    type: Git
  strategy:
    dockerStrategy:
      env:
        - name: BUILD_LOGLEVEL
          value: '5'
      from:
        kind: ImageStreamTag
        name: 'base-centos7:latest'
    type: Docker
  successfulBuildsHistoryLimit: 5
  triggers:
    - github:
        secret: xxxxxx
      type: GitHub
    - generic:
        allowEnv: true
        secret: xxxxx
      type: Generic
    - type: ConfigChange
    - imageChange:
        lastTriggeredImageID: >-
          openshift/base-centos7@sha256:aea292a3bddba020cde0ee83e6a45807931eb607c164ec6a3674f67039d8cd7c
      type: ImageChange
status:
  lastVersion: 22

[bparees]

your first build is outputting to:

output:
    to:
      kind: ImageStreamTag
      name: 'drupal-module-tester:latest'

that doesn't match your ICT for your second build:

 imageChange:
      from:
        kind: ImageStreamTag
        name: my-project:latest

or the input image for your second build:

from:
        kind: DockerImage
        name: tomwhiston/openshift-image-tagger

[twhiston]

ah that is because i 'anonymised' the original output so those values could be replaced with whatever build config (as the issue seems to happen for me regardless of the root config that i am using, i tried it with a few source/docker based repos). Sorry, i wish it were a problem that simple! I've attached the full real configs, minus anything secret to this post for clarity. My apologies for introducing additional confusion because of that.

'Root' build config:

apiVersion: v1
kind: BuildConfig
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftNewApp
  creationTimestamp: '2017-10-27T15:52:26Z'
  labels:
    app: drupal-module-tester
  name: drupal-module-tester
  namespace: dmt
  resourceVersion: '175791'
  selfLink: /oapi/v1/namespaces/dmt/buildconfigs/drupal-module-tester
  uid: d43aa784-bb2e-11e7-a19b-c265e4cb071e
spec:
  failedBuildsHistoryLimit: 5
  nodeSelector: null
  output:
    to:
      kind: ImageStreamTag
      name: 'drupal-module-tester:latest'
  postCommit: {}
  resources: {}
  runPolicy: Serial
  source:
    git:
      ref: feature/version_variable
      uri: 'https://github.com/twhiston/drupal_module_tester.git'
    type: Git
  strategy:
    dockerStrategy:
      env:
        - name: BUILD_LOGLEVEL
          value: '5'
      from:
        kind: ImageStreamTag
        name: 'base-centos7:latest'
    type: Docker
  successfulBuildsHistoryLimit: 5
  triggers:
    - github:
        secret: xxxxxx
      type: GitHub
    - generic:
        allowEnv: true
        secret: xxxxx
      type: Generic
    - type: ConfigChange
    - imageChange:
        lastTriggeredImageID: >-
          openshift/base-centos7@sha256:aea292a3bddba020cde0ee83e6a45807931eb607c164ec6a3674f67039d8cd7c
      type: ImageChange
status:
  lastVersion: 22

'Chained' build config

apiVersion: v1
kind: BuildConfig
metadata:
  creationTimestamp: '2017-10-27T15:54:19Z'
  labels:
    application: drupal-module-tester
  name: drupal-module-tester-tagger
  namespace: dmt
  resourceVersion: '175253'
  selfLink: /oapi/v1/namespaces/dmt/buildconfigs/drupal-module-tester-tagger
  uid: 17fa2af3-bb2f-11e7-a19b-c265e4cb071e
spec:
  nodeSelector: null
  output:
    pushSecret:
      name: docker-hub
  postCommit: {}
  resources: {}
  runPolicy: Serial
  source:
    type: None
  strategy:
    customStrategy:
      env:
        - name: BUILD_IMAGE
          value: drupal-module-tester
        - name: DEBUG
          value: 'true'
        - name: OUTPUT_NAMESPACE
          value: tomwhiston
        - name: PUSH_CLEANUP
          value: 'true'
        - name: PUSH_IMAGE
          value: 'true'
      exposeDockerSocket: true
      forcePull: true
      from:
        kind: DockerImage
        name: tomwhiston/openshift-image-tagger
    type: Custom
  triggers:
    - type: ConfigChange
    - imageChange:
        from:
          kind: ImageStreamTag
          name: 'drupal-module-tester:latest'
          namespace: dmt
      type: ImageChange
status:
  lastVersion: 3

[bparees]

@csrwng if non-default ICTs are really broken, it's a blocker, we need to understand if this is user error or not.

[jim-minter]

I1031 16:41:53.930912 8946 rbac.go:116] RBAC DENY: user "system:serviceaccount:openshift-infra:image-trigger-controller" groups ["system:serviceaccounts" "system:serviceaccounts:openshift-infra" "system:authenticated"] cannot "create" resource "builds.build.openshift.io/custom" named "chained" in namespace "demo"