Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1862969

Summary: [OCP v46] The scan pods use private repositories to get 'openscap-ocp' image in Compliance Operator
Product: OpenShift Container Platform Reporter: Prashant Dhamdhere <pdhamdhe>
Component: Compliance OperatorAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Prashant Dhamdhere <pdhamdhe>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.6CC: josorior, mrogers, xiyuan
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:22:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Prashant Dhamdhere 2020-08-03 10:51:26 UTC 
Description of problem 

The scan pods use private repositories to get 'openscap-ocp' image in Compliance Operator (0.1.12) 

$ oc describe pod worker-scan-ip-10-0-205-114.us-east-2.compute.internal-pod |grep -A4 "openscap-ocp" 
  openscap-ocp: 
    Container ID:  cri-o://302b128b111d20b463c1c3682ff0137b49cc45bcbf6bf628c12a44d3aee32091 
    Image:         quay.io/jhrozek/openscap-ocp:latest                         <<---- 
    Image ID:      quay.io/jhrozek/openscap-ocp@sha256:ce97c544ec38829938e04636274451cc30a79ccf335736edf0891c7500d97f9e 
    Port:          <none> 
    Host Port:     <none> 
    Command: 
      /scripts/openscap-container-entrypoint 
-- 
  Normal  Pulling         3m22s  kubelet, ip-10-0-205-114.us-east-2.compute.internal  Pulling image "quay.io/jhrozek/openscap-ocp:latest"  <<---- 
  Normal  Pulled          3m21s  kubelet, ip-10-0-205-114.us-east-2.compute.internal  Successfully pulled image "quay.io/jhrozek/openscap-ocp:latest" in 549.374915ms  <<---- 


Version-Release -Cluster version  

4.6.0-0.nightly-2020-08-02-091622 

How reproducible: 

Always  

Steps: 

1 clone compliance-operator git repo 

$ git clone https://github.com/openshift/compliance-operator.git 

2 Create 'openshift-compliance' namespace 

$ oc create -f compliance-operator/deploy/ns.yaml   

3 Switch to 'openshift-compliance' namespace 

$ oc project openshift-compliance 

4 Deploy CustomResourceDefinition. 

$ for f in $(ls -1 compliance-operator/deploy/crds/*crd.yaml); do oc create -f $f; done 

5. Deploy compliance-operator. 

$ oc create -f compliance-operator/deploy/ 

6. Deploy ComplianceSuite CR 

oc create -f - <<EOF 
apiVersion: compliance.openshift.io/v1alpha1 
kind: ComplianceSuite 
metadata: 
  name: example-compliancesuite 
spec: 
  autoApplyRemediations: false 
  schedule: "* 1 * * *" 
  scans: 
    - name: worker-scan 
      profile: xccdf_org.ssgproject.content_profile_moderate 
      content: ssg-rhcos4-ds.xml 
      contentImage: quay.io/complianceascode/ocp4:latest 
      nodeSelector: 
        node-role.kubernetes.io/worker: "" 
EOF 

7. Once the scan performs successfully 

$ oc get pods 
$ oc get compliancesuite 
$ oc describe compliancesuite example-compliancesuite|grep -A14 Status: 

8. Check scan pod details  

$ oc describe pod worker-scan-ip-10-0-205-114.us-east-2.compute.internal-pod |grep -A4 "openscap-ocp" 


Actual result: 

The scan pods use private repositories to get 'openscap-ocp' image. 

Expected results 

The scan pods should not use private repositories to get 'openscap-ocp' image in Compliance Operator. 

Additional info
Comment 1 Jakub Hrozek 2020-08-03 13:13:55 UTC 
There are two issues:

1. The `latest` tag was not updated during release and so the latest tag was effectivelly pointing to the previous release...and between the previous and the current releases we have changed the environment variable name, so the deployment yaml was setting the new name, but the image was still only able to consume the old name. 

 - I retagged the `:latest` tag on quay.io to remediate tihs

2. The fallback images in the code were too old. 

 - I'll send a separate PR to address this
Comment 2 Jakub Hrozek 2020-08-03 13:47:21 UTC 
PR: https://github.com/openshift/compliance-operator/pull/382
Comment 3 Jakub Hrozek 2020-08-04 12:00:34 UTC 
Fixed upstream: https://github.com/openshift/compliance-operator/commit/4c46953f54a30c8494b1f0e4c7579c89eb0bf0bc
Comment 7 Prashant Dhamdhere 2020-08-27 05:54:51 UTC 
It looks good, the scan pods use official repositories to get 'openscap-ocp' image.

Verified on: 
OCP 4.6.0-0.nightly-2020-08-27-005538
compliance-operator.v0.1.13

$ grep "name:\|version" compliance-operator/deploy/olm-catalog/compliance-operator/0.1.13/compliance-operator.v0.1.13.clusterserviceversion.yaml |head -1
  name: compliance-operator.v0.1.13

$ oc get pods
NAME                                                         READY   STATUS      RESTARTS   AGE
aggregator-pod-worker-scan                                   0/1     Completed   0          7m56s
compliance-operator-869646dd4f-5vq7z                         1/1     Running     0          75m
ocp4-pp-7f89f556cc-zzmkj                                     1/1     Running     0          74m
rhcos4-pp-7c44999587-bckrn                                   1/1     Running     0          74m
worker-scan-ip-10-0-150-92.us-east-2.compute.internal-pod    0/2     Completed   0          10m
worker-scan-ip-10-0-177-228.us-east-2.compute.internal-pod   0/2     Completed   0          10m
worker-scan-ip-10-0-219-103.us-east-2.compute.internal-pod   0/2     Completed   0          10m

$ oc get compliancesuite 
NAME                      PHASE   RESULT
example-compliancesuite   DONE    NON-COMPLIANT


$  oc describe pod worker-scan-ip-10-0-150-92.us-east-2.compute.internal-pod | grep -A4 "openscap-ocp" 
  openscap-ocp:
    Container ID:  cri-o://08a9552d3f46d231dcc6ffd7698b6299bdd07eeece8b7d938f3d54ac60d800fd
    Image:         quay.io/compliance-operator/openscap-ocp:1.3.3                 <<-------
    Image ID:      quay.io/compliance-operator/openscap-ocp@sha256:fdc69e5d492a70100f40836e21f36ccb984ac134572fb5af9823c0e8fc88e11b  <<-------
    Port:          <none>
    Host Port:     <none>
    Command:
      /scripts/openscap-container-entrypoint
--
  Normal  Pulled          5m42s      kubelet, ip-10-0-150-92.us-east-2.compute.internal  Container image "quay.io/compliance-operator/openscap-ocp:1.3.3" already present on machine
  Normal  Created         5m42s      kubelet, ip-10-0-150-92.us-east-2.compute.internal  Created container openscap-ocp
  Normal  Started         5m42s      kubelet, ip-10-0-150-92.us-east-2.compute.internal  Started container openscap-ocp
Comment 9 errata-xmlrpc 2020-10-27 16:22:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196