Bug 1904583

Summary: Operator upgrades can delete existing CSV before completion
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: OLMAssignee: Vu Dinh <vdinh>
OLM sub component: OLM QA Contact: Jian Zhang <jiazha>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: urgent CC: aivaras.laimikis, alkazako, assingh, dageoffr, ecordell, kaczynsk, krizza
Version: 4.4   
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-21 13:24:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1857877, 1947946    
Bug Blocks: 1904584    

Comment 2 Jian Zhang 2020-12-14 03:06:43 UTC 
Cluster version is 4.6.0-0.nightly-2020-12-14-015205
[root@preserve-olm-env data]# oc -n openshift-operator-lifecycle-manager exec catalog-operator-6bc7d9ff89-rnszx -- olm --version
OLM version: 0.16.1
git commit: fe32277830b3dc086e014c0e3391de671e5f49f4

1, Consume this special CatalogSource image.
[root@preserve-olm-env data]# cat cs-etcd.yaml 
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: etcd-test
  namespace: openshift-marketplace
spec:
  displayName: Jian Test
  publisher: Jian
  sourceType: grpc
  image: quay.io/olmqe/etcd-index:0.9.4-sa
  updateStrategy:
    registryPoll:
      interval: 10m
[root@preserve-olm-env data]# 
[root@preserve-olm-env data]# oc create -f cs-etcd.yaml 
catalogsource.operators.coreos.com/etcd-test created

[root@preserve-olm-env data]# oc get catalogsource -n openshift-marketplace
NAME                  DISPLAY               TYPE   PUBLISHER   AGE
...
etcd-test             Jian Test             grpc   Jian        60s
...

2, subscribe to the etcd operator with manual approval.

[root@preserve-olm-env data]# cat og.yaml 
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: test-og
  namespace: default
spec:
  targetNamespaces:
  - default
[root@preserve-olm-env data]# oc create -f og.yaml 
operatorgroup.operators.coreos.com/test-og created
[root@preserve-olm-env data]# cat sub-0.9.2.yaml 
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: etcd-sub
  namespace: default
spec:
  installPlanApproval: Manual
  channel: alpha
  name: etcd
  source: etcd-test
  sourceNamespace: openshift-marketplace
  startingCSV: etcdoperator.v0.9.2
[root@preserve-olm-env data]# oc create -f sub-0.9.2.yaml 
subscription.operators.coreos.com/etcd-sub created

[root@preserve-olm-env data]# oc get sub -n default
NAME       PACKAGE   SOURCE      CHANNEL
etcd-sub   etcd      etcd-test   alpha
[root@preserve-olm-env data]# oc get ip -n default
NAME            CSV                   APPROVAL   APPROVED
install-542hf   etcdoperator.v0.9.2   Manual     false
[root@preserve-olm-env data]# oc get csv -n default
No resources found in default namespace.


3, Approve etcdoperator.v0.9.2
[root@preserve-olm-env data]# oc get csv
NAME                  DISPLAY   VERSION   REPLACES   PHASE
etcdoperator.v0.9.2   etcd      0.9.2                Succeeded
[root@preserve-olm-env data]# oc get ip
NAME            CSV                   APPROVAL   APPROVED
install-542hf   etcdoperator.v0.9.2   Manual     true
install-lj5k7   etcdoperator.v0.9.4   Manual     false

4, Approve etcdoperator.v0.9.4
[root@preserve-olm-env data]# oc get ip
NAME            CSV                   APPROVAL   APPROVED
install-542hf   etcdoperator.v0.9.2   Manual     true
install-lj5k7   etcdoperator.v0.9.4   Manual     true
[root@preserve-olm-env data]# oc get csv
NAME                  DISPLAY   VERSION   REPLACES              PHASE
etcdoperator.v0.9.2   etcd      0.9.2                           Replacing
etcdoperator.v0.9.4   etcd      0.9.4     etcdoperator.v0.9.2   Pending
[root@preserve-olm-env data]# oc get sa
NAME            SECRETS   AGE
builder         2         41m
default         2         51m
deployer        2         41m
etcd-operator   2         2m34s


5, The sa still exist and the owner is v0.9.2 csv.
[root@preserve-olm-env data]# oc get sa etcd-operator -o yaml
apiVersion: v1
imagePullSecrets:
  name: etcd-operator
  namespace: default
  ownerReferences:
  - apiVersion: operators.coreos.com/v1alpha1
    blockOwnerDeletion: false
    controller: false
    kind: ClusterServiceVersion
    name: etcdoperator.v0.9.2
    uid: c99f5618-0f1c-449b-9066-ba79ca48d31b
  resourceVersion: "32632"

The error info is "Service account is not owned by this ClusterServiceVersion", LGTM. Verify it.
[root@preserve-olm-env data]# oc get sa etcd-operator -o yaml
apiVersion: v1
imagePullSecrets:
- name: etcd-operator-dockercfg-9d9bk
kind: ServiceAccount
...
  - group: ""
    kind: ServiceAccount
    message: Service account is not owned by this ClusterServiceVersion
    name: etcd-operator
    status: PresentNotSatisfied
    version: v1
Comment 5 errata-xmlrpc 2020-12-21 13:24:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.6.9 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5614