Bug 1740052

Summary:	Federate a namespace failed for the invalid object name
Product:	OpenShift Container Platform	Reporter:	Qin Ping <piqin>
Component:	Federation	Assignee:	Aniket Bhat <anbhat>
Status:	CLOSED ERRATA	QA Contact:	Qin Ping <piqin>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	4.2.0	CC:	anbhat
Target Milestone:	---
Target Release:	4.2.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-10-16 06:35:36 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Qin Ping 2019-08-12 08:21:06 UTC

Description of problem:
Federate a namespace failed.

Version-Release number of selected component (if applicable):
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.2.0-0.nightly-2019-08-10-002649   True        False         164m    Error while reconciling 4.2.0-0.nightly-2019-08-10-002649: the update could not be applied

kubefedctl version: version.Info{Version:"v4.2.0", GitCommit:"b8ae65cee603cc9c746911debd3dc23b922222d8", GitTreeState:"clean", BuildDate:"2019-08-08T18:18:54Z", GoVersion:"go1.12.6", Compiler:"gc", Platform:"linux/amd64"}

KubeFed controller-manager version: version.Info{Version:"v4.2.0", GitCommit:"b8ae65cee603cc9c746911debd3dc23b922222d8", GitTreeState:"clean", BuildDate:"2019-08-08T18:58:34Z", GoVersion:"go1.12.6", Compiler:"gc", Platform:"linux/amd64"}



How reproducible:
100%

Steps to Reproduce:
1. Installed a cluster scoped kubefedcontroller
2. Joined 2 clusters into the federation
3. Created a namespace
$ oc create ns test-namespace
4. Federated namespace
$ kubefedctl federate ns test-namespace -e -c --kubefed-namespace=federation-system

Actual results:
customresourcedefinition.apiextensions.k8s.io/federatednamespaces.types.kubefed.io created
federatedtypeconfig.core.kubefed.io/namespaces created in namespace federation-system
I0812 16:15:24.549821    6232 federate.go:459] Resource to federate is a namespace. Given namespace will itself be the container for the federated namespace
I0812 16:15:24.668155    6232 federate.go:488] Successfully created FederatedNamespace "test-namespace/test-namespace" from Namespace
I0812 16:15:24.771175    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/builder-dockercfg-nrrsn" from Secret
I0812 16:15:24.874326    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/builder-token-86qb7" from Secret
I0812 16:15:24.977652    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/builder-token-sg97j" from Secret
I0812 16:15:25.079669    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/default-dockercfg-sd597" from Secret
I0812 16:15:25.182751    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/default-token-9mrz5" from Secret
I0812 16:15:25.285432    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/default-token-q85b4" from Secret
I0812 16:15:25.387480    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/deployer-dockercfg-5cdrb" from Secret
I0812 16:15:25.490251    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/deployer-token-g7whc" from Secret
I0812 16:15:25.593049    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/deployer-token-ndwts" from Secret
customresourcedefinition.apiextensions.k8s.io/federatedserviceaccounts.types.kubefed.io created
federatedtypeconfig.core.kubefed.io/serviceaccounts created in namespace federation-system
I0812 16:15:35.762676    6232 federate.go:488] Successfully created FederatedServiceAccount "test-namespace/builder" from ServiceAccount
I0812 16:15:35.861546    6232 federate.go:488] Successfully created FederatedServiceAccount "test-namespace/default" from ServiceAccount
I0812 16:15:35.961164    6232 federate.go:488] Successfully created FederatedServiceAccount "test-namespace/deployer" from ServiceAccount
customresourcedefinition.apiextensions.k8s.io/federatedrolebindings.types.kubefed.io created
federatedtypeconfig.core.kubefed.io/rolebindings.authorization.openshift.io created in namespace federation-system
F0812 16:15:45.724853    6232 federate.go:150] Error: Error creating federated resource "test-namespace/system:deployers": FederatedRoleBinding.types.kubefed.io "system:deployers" is invalid: metadata.name: Invalid value: "system:deployers": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')


Expected results:
Maybe the SAs, Secrets created when creating namespace should not be federated.

Additional info:

Comment 1 Qin Ping 2019-08-12 09:05:26 UTC

Although can use the  --skip-api-resources "roles,rolebindings,sa,secret" to avoid this issue, thought the user maybe not know the resources created when creating namespace or project, so still open this bug.

Comment 2 Aniket Bhat 2019-08-15 18:38:59 UTC

The general approach would be to identify system created resources in a reliable way and skip federating them.

Comment 3 Aniket Bhat 2019-08-23 17:30:40 UTC

Ping,

This should be fixed in the latest downstream images.

Comment 5 Qin Ping 2019-08-28 08:01:00 UTC

Failed verificaiton with:
kubefedctl version: version.Info{Version:"v4.2.0", GitCommit:"7f002471b9dd8366e1e0f080b46bc79864682f71", GitTreeState:"clean", BuildDate:"2019-08-25T17:43:59Z", GoVersion:"go1.12.8", Compiler:"gc", Platform:"linux/amd64"}
KubeFed controller-manager version: version.Info{Version:"v4.2.0", GitCommit:"7f002471b9dd8366e1e0f080b46bc79864682f71", GitTreeState:"clean", BuildDate:"2019-08-25T20:09:07Z", GoVersion:"go1.12.6", Compiler:"gc", Platform:"linux/amd64"}


Still have the same issue.
F0828 11:28:16.301763   30785 federate.go:150] Error: Error creating federated resource "test-namespace/system:deployers": FederatedRoleBinding.types.kubefed.io "system:deployers" is invalid: metadata.name: Invalid value: "system:deployers": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

Comment 14 errata-xmlrpc 2019-10-16 06:35:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922