Bug 1929165

Summary: [RFE] A cluster may have old and new templates (e.g after upgrade); older templates should be protected from deletion
Product: Container Native Virtualization (CNV) Reporter: Ruth Netser <rnetser>
Component: SSPAssignee: Andrej Krejcir <akrejcir>
Status: CLOSED ERRATA QA Contact: Sarah Bennert <sbennert>
Severity: high Docs Contact:
Priority: unspecified    
Version: 2.6.0CC: akrejcir, cnv-qe-bugs, dholler, fdeutsch, ipinto
Target Milestone: ---   
Target Release: 4.9.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kubevirt-ssp-operator-container-v4.9.0-20 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-13 19:59:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1962475    

Description Ruth Netser 2021-02-16 10:40:22 UTC 
Description of problem:
A cluster may have old and new templates (e.g after upgrade).
Currently a user can delete older templates and they will not be reconsiled by the operator; older templates should be protected from deletion as VMs may be referencing them.

Version-Release number of selected component (if applicable):
CNV 2.6.0 (after upgrade)

How reproducible:


Steps to Reproduce:
1. Install CNV 2.5.z
2. Create a VM from template
3. Upgrade the cluster
4. Delete the template which was used to create the VM
5. Try to restart the VMI

Actual results:
The restart will fail as the template is not found.
w/a - update the VM to use a new template

Expected results:
Older templates should be reconsiled / protected from deletion

Additional info:
Comment 1 Andrej Krejcir 2021-04-13 12:49:41 UTC 
I think that, instead of blocking the deletion of old templates, the SSP operator could add the 'vm.kubevirt.io/validations' annotation to old VMs.
Then the template-validator would use the validation rules from the annotation and not form a non-existing template.

Old VMs could be updated when the SSP resource is updated to a new version. It would be more efficient than updating on each reconciliation iteration.
Comment 7 Sarah Bennert 2021-10-12 14:01:42 UTC 
Template in use by a VM was allowed to be deleted on 4.9 CNV that had been upgraded from 2.5

$ oc delete template -n openshift rhel6-desktop-tiny-v0.11.3
template.template.openshift.io "rhel6-desktop-tiny-v0.11.3" deleted
Comment 14 Sarah Bennert 2021-11-18 19:15:53 UTC 
Verified.

Cluster upgraded
From: OpenShift 4.6.48 / OpenShift Virtualization 2.5.8
To:   OpenShift 4.9.7 / OpenShift Virtualization 4.9.1-23

VMs were created using templates from the UI in 2.5.8 and then the cluster upgraded.

After upgrade to 4.9.1, verified delete command was rejected regardless if the VMs were running or not.

$ oc delete -n openshift template rhel8-server-tiny-v0.11.3
Error from server (Forbidden): admission webhook "template-admission.ssp.kubevirt.io" denied the request: Template cannot be deleted, because the following VMs are referencing it for validation: {LIST_OF_ALL_VMS_CREATED_FOR_TEST}
Comment 20 errata-xmlrpc 2021-12-13 19:59:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Virtualization 4.9.1 Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:5091