Bug 1807572 - Prevent installation of CNV in the openshift-operators namespace
Summary: Prevent installation of CNV in the openshift-operators namespace
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Installation
Version: 2.3.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 2.3.0
Assignee: Oren Cohen
QA Contact: Irina Gulina
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-26 16:08 UTC by Jean-Francois Saucier
Modified: 2023-03-24 17:03 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-04 19:10:56 UTC
Target Upstream Version:
Embargoed:
ocohen: needinfo-


Attachments (Terms of Use)
verification - grayed out (56.10 KB, image/png)
2020-03-13 13:47 UTC, Irina Gulina
no flags Details
verification - time out on install to wrong ns (78.01 KB, image/png)
2020-03-13 13:48 UTC, Irina Gulina
no flags Details
verification - error on wrong named cr (55.15 KB, image/png)
2020-03-13 13:48 UTC, Irina Gulina
no flags Details
verification logs - error on install to non existing ns (49.10 KB, image/png)
2020-03-13 13:49 UTC, Irina Gulina
no flags Details
verification - error on cr create in wrong ns (53.75 KB, image/png)
2020-03-13 13:50 UTC, Irina Gulina
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2020:2011 0 None None None 2020-05-04 19:11:06 UTC

Description Jean-Francois Saucier 2020-02-26 16:08:47 UTC
Description of problem:

While it is documented in our installation documentation to only deploy CNV using the openshift-cnv namespace, nothing prevent someone of deploying in the openshift-operators namespace and get a failed deployment.

The openshift-operators is also the default namespace for many other operators and someone familiar with deployment might use this namespace out of habit.


Version-Release number of selected component (if applicable):

All CNV 2.x version


How reproducible:

Everytime you deploy in other namespace than openshift-cnv.


Steps to Reproduce:
1. Deploy CNV in the openshift-operators namespace
2. Deployment fail with unknown errors while still trying to deploy
3.


Actual results:

The deployment start in the openshift-operators namespace


Expected results:

The deployment does not start and the user receive an error message to not deploy in this namespace.


Additional info:

Comment 5 Dan Kenigsberg 2020-02-26 19:51:06 UTC
Oren, I believe that you https://github.com/kubevirt/hyperconverged-cluster-operator/pull/408 should address this problem, right?

Comment 7 Oren Cohen 2020-02-27 10:04:28 UTC
(In reply to Dan Kenigsberg from comment #5)
> Oren, I believe that you
> https://github.com/kubevirt/hyperconverged-cluster-operator/pull/408 should
> address this problem, right?

Correct, I'm in contact with OLM to try to understand the error I got when trying to configure the operator's InstallMode to be supported only at one namespace. Expected result is greying-out the default option (which installs the operator in openshift-operators namespaces and copies it to all namespaces).
https://github.com/operator-framework/operator-lifecycle-manager/issues/1297

Comment 8 Oren Cohen 2020-03-03 14:36:58 UTC
InstallMode of "AllNamespaces" and "MultipleNamespaces" have been changed to false in CSV, and the PR has been merged and cherry-picked to release-2.3
Master - https://github.com/kubevirt/hyperconverged-cluster-operator/pull/461/
2.3 Branch - https://github.com/kubevirt/hyperconverged-cluster-operator/pull/467

This should grey-out the default option in operator subscription UI page of OLM.

Another ongoing PR is intending to validate the namespace of deployed HCO CR, to be compatible with the convention (U/S: kubevirt-hyperconverged; D/S: openshift-cnv).
https://github.com/kubevirt/hyperconverged-cluster-operator/pull/483

Comment 9 Oren Cohen 2020-03-05 16:22:35 UTC
Changing to "ON_QA" as downstream bundle image with this change will be consumable shortly.

To summarize, we implemented 3 different fail-safe methods:
1. User cannot deploy the operator in default option where it would be installed on all namespaces - this option is greyed-out.
2. Suggested namespace encourages the user to deploy at a specific namespace. If the user chooses another one, the HCO operator installation fails and hco-operator pod crashloops with log of:
"Please re-deploy this operator into kubevirt-hyperconverged namespace”,”Expected.Namespace”:”kubevirt-hyperconverged”,”Deployed.Namespace”:”default”,”error”:”Operator running in different namespace than expected”
3. When the user tries to deploy the HCO CR at the wrong namespace, he gets a validation error and the correct namespace is specified.

Comment 10 Irina Gulina 2020-03-13 13:47:21 UTC
Created attachment 1669947 [details]
verification - grayed out

Comment 11 Irina Gulina 2020-03-13 13:48:06 UTC
Created attachment 1669948 [details]
verification - time out on install to wrong ns

Comment 12 Irina Gulina 2020-03-13 13:48:50 UTC
Created attachment 1669949 [details]
verification - error on wrong named cr

Comment 13 Irina Gulina 2020-03-13 13:49:44 UTC
Created attachment 1669950 [details]
verification logs - error on install to non existing ns

Comment 14 Irina Gulina 2020-03-13 13:50:36 UTC
Created attachment 1669951 [details]
verification - error on cr create in wrong ns

Comment 15 Irina Gulina 2020-03-13 13:53:52 UTC
All three bullets of comment #9 verified. See the screenshots attached. 
Also, see verified jira cards: CNV-3620, CNV-3940, CNV-4138, CNV-4131 and CNV-3784

Comment 16 Irina Gulina 2020-03-13 13:55:06 UTC
The corresponding doc changes are tracked here: https://github.com/openshift/openshift-docs/pull/20118

Comment 19 errata-xmlrpc 2020-05-04 19:10:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:2011


Note You need to log in before you can comment on or make changes to this bug.