Bug 1833419

Summary: Webhooks not updated after changing WebhookDescription in CSV
Product: OpenShift Container Platform Reporter: Alexander Greene <agreene>
Component: OLMAssignee: Alexander Greene <agreene>
OLM sub component: OLM QA Contact: yhui
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: bandrade, kuiwang
Version: 4.5   
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: OLM would not update Validating or Mutating Webhook Configurations on cluster when a user directly edited a webhook defined in a CSV. Consequence: The webhook defined by the CSV would not exist on cluster. Fix: When a CSV is updated, OLM now compares the webhook on cluster against the one defined in the CSV, and updates the on cluster webhook if a change was detected. Result: Changes to a webhook in a CSV are reflected on cluster.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-13 17:36:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Greene 2020-05-08 15:56:08 UTC 
Description of problem:
If I update the WebhookDescription in a CSV, existing Valdiating/Mutating WebhookConfigurations are not updated on cluster.

Version-Release number of selected component (if applicable):
4.5

How reproducible:
Always

Steps to Reproduce:
1. Install OLM
2. Copy the following yaml to webhook.csv.yaml
```
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
  annotations:
    alm-examples: '[{"apiVersion":"serving.knative.dev/v1alpha1","kind":"KnativeServing","metadata":{"name":"knative-serving"},"spec":{"config":{"autoscaler":{"container-concurrency-target-default":"100","container-concurrency-target-percentage":"1.0","enable-scale-to-zero":"true","max-scale-up-rate":"10","panic-threshold-percentage":"200.0","panic-window":"6s","panic-window-percentage":"10.0","scale-to-zero-grace-period":"30s","stable-window":"60s","tick-interval":"2s"},"defaults":{"revision-cpu-limit":"1000m","revision-cpu-request":"400m","revision-memory-limit":"200M","revision-memory-request":"100M","revision-timeout-seconds":"300"},"deployment":{"registriesSkippingTagResolving":"ko.local,dev.local"},"gc":{"stale-revision-create-delay":"24h","stale-revision-lastpinned-debounce":"5h","stale-revision-minimum-generations":"1","stale-revision-timeout":"15h"},"logging":{"loglevel.activator":"info","loglevel.autoscaler":"info","loglevel.controller":"info","loglevel.queueproxy":"info","loglevel.webhook":"info"},"observability":{"logging.enable-var-log-collection":"false","metrics.backend-destination":"prometheus"},"tracing":{"enable":"false","sample-rate":"0.1"}}}}]'
    capabilities: Seamless Upgrades
    categories: Networking,Integration & Delivery,Cloud Provider,Developer Tools
    certified: "false"
    containerImage: quay.io/openshift-knative/serverless-operator:v1.0.0
    createdAt: "2019-07-27T17:00:00Z"
    description: |-
      Provides a collection of API's to support deploying and serving
      of serverless applications and functions.
    repository: https://github.com/openshift-knative/serverless-operator
    support: Red Hat
  name: webhook.v1.0.0
  namespace: olm
spec:
  apiservicedefinitions: {}
  webhookdefinitions:
  - generateName: object.auditor.com
    type: ValidatingAdmissionWebhook
    deploymentName: "object-auditor-webhook-deployment"
    containerPort: 443
    sideEffects: "None"
    failurePolicy: Ignore
    admissionReviewVersions:
    - "v1"
    - "v1beta1"
    rules:
    - operations:
      - "CREATE"
      apiGroups:
      - ""
      apiVersions:
      - "v1"
      resources:
      - "configmaps"
    selector:
      name: mywebhook
    webhookPath: "/mutate"
  description: |
    A simple Webhook.
  displayName: Simple Webhook
  install:
    spec:
      deployments:
      - name: object-auditor-webhook-deployment
        spec:
          replicas: 1
          selector:
            matchLabels:
                app: object-auditor
                name: mywebhook
          template:
            metadata:
              labels:
                app: object-auditor
                name: mywebhook
            spec:
              containers:
                - name: object-auditor
                  image: quay.io/agreene/object-auditor:latest
                  imagePullPolicy: IfNotPresent
                  args:
                    - -tlsCertFile=/apiserver.local.config/certificates/apiserver.crt
                    - -tlsKeyFile=/apiserver.local.config/certificates/apiserver.key
                    - -alsologtostderr
                    - -v=4
                    - 2>&1
    strategy: deployment
  installModes:
  - supported: true
    type: OwnNamespace
  - supported: true
    type: SingleNamespace
  - supported: true
    type: MultiNamespace
  - supported: true
    type: AllNamespaces
  keywords:
  - wbhooks
  links:
  - name: Documentation
    url: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.1/html-single/serverless/index
  maintainers:
  - email: knative
    name: Serverless Team
  maturity: alpha
  provider:
    name: Red Hat
  version: 1.0.0
```
3. Run `oc apply -f webhook.csv.yaml`
4. Check that the CSV was installed successfully:
```
$ oc get csvs
NAME             DISPLAY          VERSION   REPLACES   PHASE
packageserver    Package Server   1.0.0                Succeeded
webhook.v1.0.0   Simple Webhook   1.0.0                Succeeded
```

5. Edit the spec.webhookdefinitions.rules[0].operators[0] field with `oc edit csv webhook.v1.0.0 ` and set the value to delete.
6. Check if the validatingWebhookConfiguration was updated:
`oc get validatingwebhookconfigurations.admissionregistration.k8s.io -o yaml` 
Actual results:
The validatingwebhookconfigurations created by the CSV is not updated.

Expected results:
The validatingwebhookconfigurations created by the CSV is updated to use the DELETE operation.

Additional info:
Comment 3 yhui 2020-05-11 08:59:59 UTC 
[root@preserve-olm-env bug-1833419]# oc version
Client Version: 4.4.0-rc.11
Server Version: 4.5.0-0.nightly-2020-05-11-032504
Kubernetes Version: v1.18.0-rc.1
[root@preserve-olm-env bug-1833419]# oc exec catalog-operator-6ddb5ff87f-t7xbz -n openshift-operator-lifecycle-manager -- olm --version
OLM version: 0.15.0
git commit: 9ffa1fdb8dcf3153f915563641dc4ceaf3fbe3f2


Steps to test:
1. Install OLM

2. Create the project and operatorgroup
[root@preserve-olm-env bug-1833419]# oc new-project olm
[root@preserve-olm-env bug-1833419]# cat og.yaml 
apiVersion: operators.coreos.com/v1alpha2
kind: OperatorGroup
metadata:
  name: hui-og
  namespace: olm
spec:
  targetNamespaces:
    - olm
[root@preserve-olm-env bug-1833419]# oc apply -f og.yaml 
operatorgroup.operators.coreos.com/hui-og created

3. Prepare the csv file webhook.csv.yaml
```
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
  annotations:
    alm-examples: '[{"apiVersion":"serving.knative.dev/v1alpha1","kind":"KnativeServing","metadata":{"name":"knative-serving"},"spec":{"config":{"autoscaler":{"container-concurrency-target-default":"100","container-concurrency-target-percentage":"1.0","enable-scale-to-zero":"true","max-scale-up-rate":"10","panic-threshold-percentage":"200.0","panic-window":"6s","panic-window-percentage":"10.0","scale-to-zero-grace-period":"30s","stable-window":"60s","tick-interval":"2s"},"defaults":{"revision-cpu-limit":"1000m","revision-cpu-request":"400m","revision-memory-limit":"200M","revision-memory-request":"100M","revision-timeout-seconds":"300"},"deployment":{"registriesSkippingTagResolving":"ko.local,dev.local"},"gc":{"stale-revision-create-delay":"24h","stale-revision-lastpinned-debounce":"5h","stale-revision-minimum-generations":"1","stale-revision-timeout":"15h"},"logging":{"loglevel.activator":"info","loglevel.autoscaler":"info","loglevel.controller":"info","loglevel.queueproxy":"info","loglevel.webhook":"info"},"observability":{"logging.enable-var-log-collection":"false","metrics.backend-destination":"prometheus"},"tracing":{"enable":"false","sample-rate":"0.1"}}}}]'
    capabilities: Seamless Upgrades
    categories: Networking,Integration & Delivery,Cloud Provider,Developer Tools
    certified: "false"
    containerImage: quay.io/openshift-knative/serverless-operator:v1.0.0
    createdAt: "2019-07-27T17:00:00Z"
    description: |-
      Provides a collection of API's to support deploying and serving
      of serverless applications and functions.
    repository: https://github.com/openshift-knative/serverless-operator
    support: Red Hat
  name: webhook.v1.0.0
  namespace: olm
spec:
  apiservicedefinitions: {}
  webhookdefinitions:
  - generateName: object.auditor.com
    type: ValidatingAdmissionWebhook
    deploymentName: "object-auditor-webhook-deployment"
    containerPort: 443
    sideEffects: "None"
    failurePolicy: Ignore
    admissionReviewVersions:
    - "v1"
    - "v1beta1"
    rules:
    - operations:
      - "CREATE"
      apiGroups:
      - ""
      apiVersions:
      - "v1"
      resources:
      - "configmaps"
    selector:
      name: mywebhook
    webhookPath: "/mutate"
  description: |
    A simple Webhook.
  displayName: Simple Webhook
  install:
    spec:
      deployments:
      - name: object-auditor-webhook-deployment
        spec:
          replicas: 1
          selector:
            matchLabels:
                app: object-auditor
                name: mywebhook
          template:
            metadata:
              labels:
                app: object-auditor
                name: mywebhook
            spec:
              containers:
                - name: object-auditor
                  image: quay.io/agreene/object-auditor:latest
                  imagePullPolicy: IfNotPresent
                  args:
                    - -tlsCertFile=/apiserver.local.config/certificates/apiserver.crt
                    - -tlsKeyFile=/apiserver.local.config/certificates/apiserver.key
                    - -alsologtostderr
                    - -v=4
                    - 2>&1
    strategy: deployment
  installModes:
  - supported: true
    type: OwnNamespace
  - supported: true
    type: SingleNamespace
  - supported: true
    type: MultiNamespace
  - supported: true
    type: AllNamespaces
  keywords:
  - wbhooks
  links:
  - name: Documentation
    url: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.1/html-single/serverless/index
  maintainers:
  - email: knative
    name: Serverless Team
  maturity: alpha
  provider:
    name: Red Hat
  version: 1.0.0
```

4. Run `oc apply -f webhook.csv.yaml`
[root@preserve-olm-env bug-1833419]# oc get csvs
NAME             DISPLAY          VERSION   REPLACES   PHASE
webhook.v1.0.0   Simple Webhook   1.0.0                Succeeded

5. Edit the spec.webhookdefinitions.rules[0].operators[0] field with `oc edit csv webhook.v1.0.0 ` and set the value to DELETE.

6. Check if the validatingWebhookConfiguration was updated:
`oc get validatingwebhookconfigurations.admissionregistration.k8s.io -o yaml` 

Actual results:
The validatingwebhookconfigurations created by the CSV is updated to use the DELETE operation.

The result is what we expected. Verify the bug.
Comment 4 errata-xmlrpc 2020-07-13 17:36:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409