Bug 1891898

Summary: The ClusterServiceVersion can define Webhooks that cannot be created.
Product: OpenShift Container Platform Reporter: Alexander Greene <agreene>
Component: OLMAssignee: Alexander Greene <agreene>
OLM sub component: OLM QA Contact: Jian Zhang <jiazha>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: medium    
Version: 4.6   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Operator Authors can create CSVs that define Webhooks with containerPorts set outside the range of 1-65535, which prevents the ValidatingWebhookConfiguration or MutatingWebhookConfiguration from being created due to failed validation. Consequence: CSV can be created that never successfully install. Fix: Update the CSV's CRD Validation to include the proper min and max values for webhookDescription ContainerPort field. If the containerPort is not defined, default to 443. Result: CSVs with invalid containerPorts now fail validation before the CSV is created.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:28:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1892244    

Description Alexander Greene 2020-10-27 15:56:34 UTC 
Description of problem:
Operator Authors can create CSVs that define Webhooks with containerPorts set outside the range of 0-65535, which prevents the ValidatingWebhookConfiguration or MutatingWebhookConfiguration from being created due to failed validation.

Version-Release number of selected component (if applicable):
4.6.0

How reproducible:
Always

Steps to Reproduce:
1.Install a CSV that defines a webhook whose containerPort value is less than 0 or greater than 65535.

Actual results:
Validating / mutating webhook is not created, CSV rotates through different install phases.

Expected results:
The webhook is installed correctly and the operator reaches the succeeded phase.

Additional info:
Comment 1 Alexander Greene 2020-10-27 17:48:15 UTC 
Example OLM Failure Log:

```
time="2020-10-27T14:02:12Z" level=error msg="Webhooks: Error creating MutatingWebhookConfiguration: MutatingWebhookConfiguration.admissionregistration.k8s.io \"mopentelemetrycollector.kb.io-gtbpc\" is invalid: webhooks[0].clientConfig.service.port: Invalid value: 0: port is not valid: must be between 1 and 65535, inclusive"
```
Comment 3 yhui 2020-11-05 03:53:42 UTC 
Version:
[root@preserve-olm-env 1891898]# oc version
Client Version: 4.6.0-rc.4
Server Version: 4.7.0-0.nightly-2020-11-04-224753
Kubernetes Version: v1.19.2+6bd0f34
[root@preserve-olm-env 1891898]# oc exec olm-operator-96859b4c-j4w6g -n openshift-operator-lifecycle-manager -- olm --version
OLM version: 0.17.0
git commit: 594996a0f09040c56312fdb8c9321284529283fe

Steps to test:
1, Create a new project
[root@preserve-olm-env 1891898]# oc new-project test-operators
Now using project "test-operators" on server "https://api.yhui-471.qe.devcluster.openshift.com:6443".

2, Create a operatorgroup in the new project.
[root@preserve-olm-env 1891898]# cat og.yaml 
apiVersion: operators.coreos.com/v1alpha2
kind: OperatorGroup
metadata:
  name: hui-og
  namespace: test-operators
spec:
  targetNamespaces:
    - test-operators
[root@preserve-olm-env 1891898]# oc create -f og.yaml 
operatorgroup.operators.coreos.com/hui-og created

3, Prepare a CSV yaml file. The containerPort is set to 0.

4, Install the CSV.
[root@preserve-olm-env 1891898]# oc apply -f csv.yaml 
The ClusterServiceVersion "webhook.v1.0.0" is invalid: spec.webhookdefinitions.containerPort: Invalid value: 1: spec.webhookdefinitions.containerPort in body should be greater than or equal to 1

The CSV cannot be created. This is what we expected. But I think the information should be modified. 
Invalid value: 1   ->     Invalid value: 0

5, Prepare a CSV yaml file. The containerPort is set to 65536.

6, Install the CSV.
[root@preserve-olm-env 1891898]# oc apply -f csv.yaml 
The ClusterServiceVersion "webhook.v1.0.0" is invalid: spec.webhookdefinitions.containerPort: Invalid value: 65535: spec.webhookdefinitions.containerPort in body should be less than or equal to 65535

The CSV cannot be created. This is what we expected. But I think the information should be modified. 
Invalid value: 65535   ->     Invalid value: 65536 

"Invalid value" should be changed to actual value which set in the CSV yaml file. This should be modified. Assigned the bug.
Comment 4 Alexander Greene 2020-11-06 18:55:30 UTC 
@yhui the error messages you received when creating the CSV are defaults defined in the CSV and are not controlled by the OLM team - we cannot change these messages. I am placing this ticket back on QE.
Comment 5 Alexander Greene 2020-11-06 18:57:44 UTC 
Sorry - I meant to say that min/max values are defined by fields in the CSV's CRD, OLM does not generate these messages sent to the user when a value is provided that is not within the defined range.
Comment 6 yhui 2020-11-10 06:19:19 UTC 
Version:
[root@preserve-olm-env ~]# oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2020-11-10-023606   True        False         23m     Cluster version is 4.7.0-0.nightly-2020-11-10-023606
[root@preserve-olm-env ~]# oc exec olm-operator-67c77688f7-5q4q7 -n openshift-operator-lifecycle-manager -- olm --version
OLM version: 0.17.0
git commit: 161c86b215ceae325d7bf8f7f351406a0303ca27

Steps to test:
1, Create a new project
[root@preserve-olm-env 1891898]# oc new-project test-operators
Now using project "test-operators" on server "https://api.knarra1110.qe.devcluster.openshift.com:6443".

2, Create a operatorgroup in the new project.
[root@preserve-olm-env 1891898]# cat og.yaml 
apiVersion: operators.coreos.com/v1alpha2
kind: OperatorGroup
metadata:
  name: hui-og
  namespace: test-operators
spec:
  targetNamespaces:
    - test-operators
[root@preserve-olm-env 1891898]# oc create -f og.yaml 
operatorgroup.operators.coreos.com/hui-og created

3, Prepare a CSV yaml file. The containerPort is set to 0.

4, Install the CSV.
[root@preserve-olm-env 1891898]# oc apply -f csv.yaml 
The ClusterServiceVersion "webhook.v1.0.0" is invalid: spec.webhookdefinitions.containerPort: Invalid value: 1: spec.webhookdefinitions.containerPort in body should be greater than or equal to 1

The CSV cannot be created. This is what we expected. 

5, Prepare a CSV yaml file. The containerPort is set to 65536.

6, Install the CSV.
[root@preserve-olm-env 1891898]# oc apply -f csv.yaml 
The ClusterServiceVersion "webhook.v1.0.0" is invalid: spec.webhookdefinitions.containerPort: Invalid value: 65535: spec.webhookdefinitions.containerPort in body should be less than or equal to 65535

The CSV cannot be created. This is what we expected.
Verify the bug.
Comment 10 errata-xmlrpc 2021-02-24 15:28:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633