Bug 2035015

Summary: ClusterLogForwarding CR remains stuck remediating forever
Product: OpenShift Container Platform Reporter: Ian Miller <imiller>
Component: Telco EdgeAssignee: Jim Ramsay <jramsay>
Telco Edge sub component: ZTP QA Contact: yliu1
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: jramsay
Version: 4.10   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-12 04:39:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2050762    
Attachments:
Description Flags
The enforce version of the policy. none

Description Ian Miller 2021-12-22 17:49:15 UTC 
Created attachment 1847387 [details]
The enforce version of the policy.

Description of problem:
The inform Policy which applies the DU configuration for ClusterLogForwarding never resolves to the Compliant state. This inform policy is copied to create an enforce policy which is used to apply the configuration to the cluster. The enforce version of the Policy goes compliant but the inform version of the Policy remains NotCompliant.

The inform policy (enforce copy attached)
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  annotations:
    policy.open-cluster-management.io/categories: CM Configuration Management
    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
    policy.open-cluster-management.io/standards: NIST SP 800-53
    ran.openshift.io/ztp-deploy-wave: "10"
  labels:
    app.kubernetes.io/instance: policies
  name: group-cnfocto1-log-forwarder-policy
  namespace: ztp-group-cnfocto1
spec:
  disabled: false
  policy-templates:
  - objectDefinition:
      apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata:
        name: group-cnfocto1-log-forwarder-policy-config
      spec:
        namespaceselector:
          exclude:
          - kube-*
          include:
          - '*'
        object-templates:
        - complianceType: musthave
          objectDefinition:
            apiVersion: logging.openshift.io/v1
            kind: ClusterLogForwarder
            metadata:
              annotations:
                ran.openshift.io/ztp-deploy-wave: "10"
              name: instance
              namespace: openshift-logging
            spec:
              inputs:
              - infrastructure:
                  namespaces:
                  - openshift-apiserver
                  - openshift-cluster-version
                  - openshift-etcd
                  - openshift-kube-scheduler
                  - openshift-monitoring
                  - openshift-performance-addon
                  - openshift-ptp
                  - openshift-machine-config-operator
                  - open-cluster-management-agent
                  - open-cluster-management-agent-addon
                name: infra-logs
              outputs:
              - name: kafka-open
                type: kafka
                url: tcp://10.1.2.3:9092/test
              pipelines:
              - inputRefs:
                - audit
                name: audit-logs
                outputRefs:
                - kafka-open
              - inputRefs:
                - infrastructure
                name: infrastructure-logs
                outputRefs:
                - kafka-open
        remediationAction: inform
        severity: low
  remediationAction: inform


The applied ClusterLogForwarder configuration continues to grow in size as additional content is continually added to the spec.

apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  annotations:
    ran.openshift.io/ztp-deploy-wave: "10"
  creationTimestamp: "2021-12-22T15:21:53Z"
  generation: 839
  name: instance
  namespace: openshift-logging
  resourceVersion: "419157"
  uid: 9101269b-f222-4f83-a36f-cb1cb0648749
spec:
  inputs:
  - infrastructure: {}
    name: infra-logs
  - infrastructure: {}
    name: infra-logs
  - infrastructure: {}
    name: infra-logs
<snip 840 additional identical entries>


Version-Release number of selected component (if applicable): 4.10


How reproducible: Always


Steps to Reproduce:
1. Deploy cluster using gitops ZTP configured for inform policies
2. Use Topology Aware Lifecycle Operator to remediate those policies to cluster
3.

Actual results:
ClusterLogForwarder inform policy does not go compliant but the enforce policy does. ClusterLogForwarder CR on the cluster continues to grow.

Expected results:
Both policies go compliant. ClusterLogForwarder gets desired content.

Additional info:
Comment 2 yliu1 2022-02-01 18:19:45 UTC 
ZTP install with TALO succeeded using ztp site generate image built from master branch.
Comment 5 errata-xmlrpc 2022-03-12 04:39:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056