Bug 1723753 - OpenShift incorrectly applies RFC 6902 JSON PATCH
Summary: OpenShift incorrectly applies RFC 6902 JSON PATCH
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 3.11.0
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
: 3.11.z
Assignee: Lukasz Szaszkiewicz
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-25 10:02 UTC by Keith Wall
Modified: 2023-10-06 18:23 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-03 15:56:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin issues 23206 0 None closed OpenShift incorrectly applies RFC 6902 JSON PATCH 2020-06-02 13:00:13 UTC
Github openshift origin pull 22267 0 None closed Limit the number of operations in a single json patch to be 10,000 2020-06-02 13:00:14 UTC
Github openshift origin pull 23269 0 None closed Bug 1723753: OpenShift incorrectly applies RFC 6902 JSON PATCH 2020-06-02 13:00:13 UTC
Github openshift origin pull 23565 0 None closed Bug 1723753: OpenShift incorrectly applies RFC 6902 JSON PATCH 2020-06-02 13:00:13 UTC
Github openshift ose pull 1528 0 None None None 2020-06-02 13:00:13 UTC
Red Hat Product Errata RHBA-2019:2580 0 None None None 2019-09-03 15:56:21 UTC

Description Keith Wall 2019-06-25 10:02:20 UTC 
Description of problem:

(Please refer to PR https://github.com/openshift/origin/pull/22267)

AMQ Online runs on OpenShift. We have run into a bug in the OpenShift
server handling of RFC 6902 JSON PATCH.  The
implementation of the "move" operation is broken.  This bug can
generate patched resources that are wrong, or in some case, later
operations within the same patch will error spuriously.

It affects the AMQ Online upgrade use case.  When a user deploys a new
AMQ Online over an old one, internally, AMQ Online uses
io.fabric8.kubernetes.client.dsl.Patchable#patch to alter the desired
state of resources to the upgraded form.  This defect means that this
automated upgrade process can fail or generate invalid results.

I have described the defect here and attached a reproducer that
demonstrates that "move" is incorrectly implemented.

https://github.com/openshift/origin/issues/23206

We know from commentary provided on https://github.com/openshift/origin/issues/23206 that the defect is fixed in OpenShift 4.1, however, OpenShift 3.11 remains supported and is a supported platform for AMQ Online, so the issue remains live for customers of this product.

Version-Release number of selected component (if applicable):

3.11

How reproducible:

100%

Steps to Reproduce:

Steps enumerated https://github.com/openshift/origin/issues/23206

Actual results:

Corrupted resource declaration (statefulsets, deployments etc).


Expected results:

Corrected patched resources.

Additional info:
Comment 11 Xingxing Xia 2019-08-23 13:24:56 UTC 
Lukasz, there is an OCP v3.11.139 env on hand, verified it with comment 2 steps:
oc new-app openshift/hello-openshift A=a B=b C=c D=d E=e

oc patch dc hello-openshift --type=json -p='[ { "op" : "move", "from" : "/spec/template/spec/containers/0/env/1", "path" : "/spec/template/spec/containers/0/env/2" } ]'

oc get dc hello-openshift -o yaml
...
    spec:
      containers:
      - env:
        - name: A
          value: a
        - name: C
          value: c
        - name: B
          value: b
        - name: D
          value: d
        - name: E
          value: e

It moves B to the target index 2 correctly.

Will move to VERIFIED once bug is attached in an errata advisory that moves it to ON_QA
Comment 14 errata-xmlrpc 2019-09-03 15:56:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2580
Note You need to log in before you can comment on or make changes to this bug.