Bug 1380837

Summary: ClusterResourceQuota annotation selector encounters errors matching special characters
Product: OpenShift Container Platform Reporter: Scott Dodson <sdodson>
Component: MasterAssignee: Jordan Liggitt <jliggitt>
Status: CLOSED ERRATA QA Contact: weiwei jiang <wjiang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.3.0CC: aos-bugs, dma, ffranz, jliggitt, jokerman, mmccomas, qixuan.wang, wsun, zhezli
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: ClusterResourceQuota annotation selectors containing special characters caused parse errors when being used to select namespaces. Consequence: Namespaces that should have the cluster resource quota applied to them were not restricted by the cluster resource quota Fix: Handle special characters correctly Result: The specified namespaces have cluster resource quota correctly applied.
 Story Points: ---
Clone Of: 1376052 Environment:
Last Closed: 2016-10-04 12:44:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1376052    
Bug Blocks:    

Description Scott Dodson 2016-09-30 17:31:15 UTC 
+++ This bug was initially created as a clone of Bug #1376052 +++

cloned from https://github.com/openshift/origin/issues/10877 for QE

Description of problem:

ClusterResourceQuota annotation selector encounters errors if the keys or values contain characters that do not validate as label keys or values


Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:
1. Create a clusterresourcequota object with an annotations selector like this:
   "annotations":{"special key 1": "special value", "email":"user"}

2. Create a project, and annotate it with matching annotations

3. Observe errors in the server log, the clusterresourcequota status does not indicate the namespace was matched, and no clusterresourcequota is enforced in the project.


Additional info:

--- Additional comment from Jordan Liggitt on 2016-09-14 10:23:01 EDT ---

fixed in https://github.com/openshift/origin/pull/10896

--- Additional comment from Qixuan Wang on 2016-09-18 05:27:30 EDT ---

Tested on OCP3.3(openshift v3.3.0.31, kubernetes v1.3.0+52492b4, etcd 2.3.0+git)

There are some questions associated with testing:

1. Is there a separated bug for CLI fix https://github.com/openshift/origin/pull/10912 ?

2. Should ClusterResourceQuota label selector support keys/values contain characters like this bug fixed? For example:
spec.selector.labels.matchLabels: Invalid value: "qwang": must match the regex (([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])? (e.g. 'MyValue' or 'my_value' or '12345')

3. If lable selector supports special characters, should command "oc label namespace/project" support these?

Here is Server-side test result:

[root@dhcp-141-95 qwang]# cat bugs.yaml 
{
    "kind": "ClusterResourceQuota",
    "apiVersion": "v1",
    "metadata": {
        "name": "crq-test-6"
    },
    "spec": {
        "quota": {
            "hard": {
                "pods": "10",
                "secrets": "12"
            }
        },
        "selector": {
            "labels": {
                "matchLabels": {
                    "user": "qe"
                }
            },
            "annotations": {
                "openshift.io/requester": "qwang"
            }
        }
    }
}

[root@dhcp-141-95 qwang]# oc create -f bug.yaml 
clusterresourcequota "crq-test-6" created

[root@dhcp-141-95 qwang]# oc describe clusterresourcequotas crq-test-6
Name:		crq-test-6
Namespace:	<none>
Created:	8 seconds ago
Labels:		<none>
Annotations:	<none>
Label Selector: user=qe
AnnotationSelector: map[openshift.io/requester:qwang]
Resource	Used	Hard
--------	----	----

--- Additional comment from Jordan Liggitt on 2016-09-18 07:59:46 EDT ---

1. There should be a separate bug. Fabiano, can you open one?

2. No, label selectors are working correctly now. They do not include special characters

3. No, only annotations support special characters like that

--- Additional comment from Fabiano Franz on 2016-09-21 17:58:24 EDT ---

Separate bug for the CLI part: https://bugzilla.redhat.com/show_bug.cgi?id=1378243

--- Additional comment from DeShuai Ma on 2016-09-22 08:21:39 EDT ---

Test on openshift v1.4.0-alpha.0+aa08313, verify this bug.

Steps:
1. Create a clusterresourcequota with special annotations
[root@ip-172-18-5-251 ~]# oc create clusterresourcequota limit-bob --project-annotation-selector=openshift.io/requester=usertest --hard=pods=10
clusterresourcequota "limit-bob" created

2. Create a project match annotations
[root@ip-172-18-5-251 ~]# oadm new-project dma
Created project dma
[root@ip-172-18-5-251 ~]# oc annotate namespaces/dma openshift.io/requester=usertest

3. Check the clusterresourcequota status
oc get clusterresourcequota limit-bob -o json
{
    "kind": "ClusterResourceQuota",
    "apiVersion": "v1",
    "metadata": {
        "name": "limit-bob",
        "selfLink": "/oapi/v1/clusterresourcequotas/limit-bob",
        "uid": "c3086a15-80bb-11e6-93d0-0e6e19152557",
        "resourceVersion": "2067",
        "creationTimestamp": "2016-09-22T11:57:40Z"
    },
    "spec": {
        "selector": {
            "labels": null,
            "annotations": {
                "openshift.io/requester": "usertest"
            }
        },
        "quota": {
            "hard": {
                "pods": "10"
            }
        }
    },
    "status": {
        "total": {
            "hard": {
                "pods": "10"
            },
            "used": {
                "pods": "0"
            }
        },
        "namespaces": [
            {
                "namespace": "dma",
                "status": {
                    "hard": {
                        "pods": "10"
                    },
                    "used": {
                        "pods": "0"
                    }
                }
            }
        ]
    }
}

4. Create a pod in project and confirm clusterresourcequota is consumed by project
[root@ip-172-18-5-251 ~]# oc create -f https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json -n dma
pod "hello-openshift" created
[root@ip-172-18-5-251 ~]# oc describe clusterresourcequotas limit-bob
Name:		limit-bob
Namespace:	<none>
Created:	14 minutes ago
Labels:		<none>
Annotations:	<none>
Label Selector: <null>
AnnotationSelector: map[openshift.io/requester:usertest]
Resource	Used	Hard
--------	----	----
pods		1	10
Comment 4 errata-xmlrpc 2016-10-04 12:44:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1988