Bug 1991076
| Summary: | insights-operator-obfuscation-secret role lacks cluster profile annotations | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | W. Trevor King <wking> |
| Component: | Insights Operator | Assignee: | Serhii Zakharov <szakharo> |
| Status: | CLOSED DUPLICATE | QA Contact: | Dmitry Misharov <dmisharo> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.8 | CC: | aos-bugs, inecas, mklika, szakharo, tremes |
| Target Milestone: | --- | ||
| Target Release: | 4.8.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-08-11 09:05:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
And I didn't walk the whole history, but as far as the branch tips go, the RoleBinding has the same issue:
$ git cat-file -p 'origin/release-4.8:manifests/03-clusterrole.yaml' | yaml2json | jq '.[] | select(.kind == "RoleBinding" and .metadata.name == "insights-operator-obfuscation-secret").metadata'
{
"name": "insights-operator-obfuscation-secret",
"namespace": "openshift-insights"
}
$ git cat-file -p 'origin/release-4.9:manifests/03-clusterrole.yaml' | yaml2json | jq '.[] | select(.kind == "RoleBinding" and .metadata.name == "insights-operator-obfuscation-secret").metadata'
{
"name": "insights-operator-obfuscation-secret",
"namespace": "openshift-insights",
"annotations": {
"include.release.openshift.io/self-managed-high-availability": "true",
"include.release.openshift.io/ibm-cloud-managed": "true",
"include.release.openshift.io/single-node-developer": "true"
}
}
Thanks for the report and the analysis Trevor. Yeah the history shows our poor knowledge of RBAC and annotations usage. I believe this is covered with the "cryptic" https://bugzilla.redhat.com/show_bug.cgi?id=1977342 and https://github.com/openshift/insights-operator/pull/467. Anyway the annotations should be added in the 4.8 as well. If it's easier to close this bug as a dup of bug 1977342, that's fine with me. *** This bug has been marked as a duplicate of bug 1977342 *** |
Checking with these current branch tips: $ git --no-pager log --oneline -1 origin/release-4.8 bc15362e (origin/release-4.8) [release-4.8] Gather all MachineConfig definitions (#449) (#459) $ git --no-pager log --oneline -1 origin/release-4.9 b178f47f (HEAD -> master, origin/release-4.9, origin/release-4.10, origin/master, origin/HEAD) Insightsreport set corresponding clusteroperator condition correctly (#473) The 4.9 insights-operator-obfuscation-secret Role has the expected cluster profile annotations: $ git cat-file -p origin/release-4.9:manifests/03-clusterrole.yaml | yaml2json | jq '.[] | select(.kind == "Role" and .metadata.name == "insights-operator-obfuscation-secret").metadata' { "name": "insights-operator-obfuscation-secret", "namespace": "openshift-insights", "annotations": { "include.release.openshift.io/self-managed-high-availability": "true", "include.release.openshift.io/ibm-cloud-managed": "true", "include.release.openshift.io/single-node-developer": "true" } } But 4.8 does not: $ git cat-file -p origin/release-4.8:manifests/03-clusterrole.yaml | yaml2json | jq '.[] | select(.kind == "Role" and .metadata.name == "insights-operator-obfuscation-secret").metadata' { "name": "insights-operator-obfuscation-secret", "namespace": "openshift-insights" } The manifest appears to be new in 4.8, with no hits in 4.7: $ git cat-file -p origin/release-4.7:manifests/03-clusterrole.yaml | yaml2json | jq '.[] | select(.kind == "Role" and .metadata.name == "insights-operator-obfuscation-secret").metadata' ...no hits... Per the cluster profile enhancement [1], that results in the CVO ignoring the manifest in all cluster profiles. Looking at 4.8.2 -> 4.8.3 CI [2], the Role is indeed missing: $ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/release-openshift-origin-installer-launch-aws/1420413555873681408/artifacts/launch/roles.json | jq -r '.items[].metadata | select(.name == "insights-operator-obfuscation-secret")' ...no hits... The 4.9 history is fairly exciting, with [3] removing the Role entirely. [4] bringing the role back, but with a delete annotation (still no profile annotations, so the CVO ignores this). [5] adding the role with profile annotations, but keeping the separate entry with the delete annotation. And [6] removing the entry with the delete annotation, leaving just the role with profile annotations. I dunno if 4.8 cares about this Role or not; obviously if its absence caused serious issues, we would have had some complaints out of CI/QE. But keeping dead-code manifests around is just confusing, so we should either drop the entry entirely, or add profiles so the CVO manages it in clusters that need it. [1]: https://github.com/openshift/enhancements/blob/ce4d303db807622687159eb9d3248285a003fabb/enhancements/update/cluster-profiles.md [2]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-origin-installer-launch-aws/1420413555873681408 [3]: https://github.com/openshift/insights-operator/commit/c8e1838296b7d4fb00d79ed982cf062df029dbed [4]: https://github.com/openshift/insights-operator/commit/c6237c6417f9cdd1c527ac2012f394280622a7c5 [5]: https://github.com/openshift/insights-operator/commit/6e70054f6e433526942e900073ccc0862c4ce137 [6]: https://github.com/openshift/insights-operator/commit/b44b5443e353424042d96fd1b482dfc9c036429a