1865804 – The existing profile.compliance object is getting removed when a new probilebundle gets created

Bug 1865804 - The existing profile.compliance object is getting removed when a new probilebundle gets created

Summary: The existing profile.compliance object is getting removed when a new probileb...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Compliance Operator
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.6.0
Assignee:	Jakub Hrozek
QA Contact:	Prashant Dhamdhere
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-08-04 08:31 UTC by xiyuan
Modified:	2020-10-27 16:23 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-27 16:23:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4196	0	None	None	None	2020-10-27 16:23:29 UTC

Description xiyuan 2020-08-04 08:31:23 UTC

Description of problem 
The existing profile.compliance object is getting removed when a new probilebundle gets created

Version-Release -Cluster version 
4.6.0-0.nightly-2020-08-04-002217

Reproduce
Sometimes

Reproduce step
1. install compliance operator:
 1.1 clone compliance-operator git repo
 $ git clone https://github.com/openshift/compliance-operator.git
 1.2 Create 'openshift-compliance' namespace
 $ oc create -f compliance-operator/deploy/ns.yaml  
 1.3 Switch to 'openshift-compliance' namespace
 $ oc project openshift-compliance
 1.4 Deploy CustomResourceDefinition.
 $ for f in $(ls -1 compliance-operator/deploy/crds/*crd.yaml); do oc create -f $f; done
 1.5 Deploy compliance-operator.
 $ oc create -f compliance-operator/deploy/

2. oc get profile.compliance
$ oc get profiles.compliance
 NAME             AGE
 ocp4-cis         8h
 ocp4-e8          8h
 ocp4-moderate    8h
 ocp4-ncp         8h
 rhcos4-e8        8h
 rhcos4-moderate  8h
 rhcos4-ncp       8h

Remove system hostname from command output

3. Create new profilebundles:
$  oc create -f - << EOF  
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ProfileBundle
> metadata:
>   name: test1
> spec:
>   contentImage: quay.io/jhrozek/ocp4-openscap-content@sha256:a1709f5150b17a9560a5732fe48a89f07bffc72c0832aa8c49ee5504510ae687
>   contentFile: ssg-rhcos4-ds.xml
> EOF
profilebundle.compliance.openshift.io/test1 created

Actual result

The existing profile.compliance is getting removed when a new probilebundle gets created

$ oc get profilebundles
NAME     CONTENTIMAGE                                                                                                    STATUS
ocp4     quay.io/complianceascode/ocp4:latest                                                                            VALID
rhcos4   quay.io/complianceascode/ocp4:latest                                                                            VALID
test1    quay.io/jhrozek/ocp4-openscap-content@sha256:a1709f5150b17a9560a5732fe48a89f07bffc72c0832aa8c49ee5504510ae687   VALID
$ oc get profile.compliance
NAME             AGE
test1-e8         9m19s
test1-moderate   9m19s
test1-ncp        9m19s

Expected result
The existing profile.compliance object should not be removed when a new profilebundles or profile.compliance object get created

Comment 1 Jakub Hrozek 2020-08-04 08:47:37 UTC

I think I know what's going on and how to fix it..

Comment 2 Jakub Hrozek 2020-08-05 14:20:55 UTC

WIP: https://github.com/jhrozek/compliance-operator-1/commits/trackimg

I am on PTO thursday and friday; the code already works well, but I guess I'm out of time to provide a test. Feel free to pick the work up if the fix is very urgent..

Comment 3 Jakub Hrozek 2020-08-12 11:49:35 UTC

PR: https://github.com/openshift/compliance-operator/pull/398

Comment 4 Jakub Hrozek 2020-08-17 18:51:46 UTC

Merged upstream with https://github.com/openshift/compliance-operator/commit/0642dcf4a3177190a4f3dd4b49c07e605165d743

Comment 7 Prashant Dhamdhere 2020-08-27 06:11:08 UTC

Now,The existing profile.compliance object does get removed when a new profilebundles or profile.compliance object get created


Verified on: 
OCP 4.6.0-0.nightly-2020-08-27-005538
compliance-operator.v0.1.13


$ oc get profilebundles
NAME     CONTENTIMAGE                           STATUS
ocp4     quay.io/complianceascode/ocp4:latest   VALID
rhcos4   quay.io/complianceascode/ocp4:latest   VALID


$ oc get profiles.compliance
NAME              AGE
ocp4-cis          77m
ocp4-e8           77m
ocp4-moderate     77m
ocp4-ncp          77m
rhcos4-e8         77m
rhcos4-moderate   77m
rhcos4-ncp        77m


$ oc create -f - << EOF  
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ProfileBundle
> metadata:
>   name: test1
> spec:
>   contentImage: quay.io/jhrozek/ocp4-openscap-content@sha256:a1709f5150b17a9560a5732fe48a89f07bffc72c0832aa8c49ee5504510ae687
>   contentFile: ssg-rhcos4-ds.xml
> EOF
profilebundle.compliance.openshift.io/test1 created

                                                       
$ oc get pods
NAME                                                         READY   STATUS      RESTARTS   AGE
aggregator-pod-worker-scan                                   0/1     Completed   0          18m
compliance-operator-869646dd4f-5vq7z                         1/1     Running     0          85m
ocp4-pp-7f89f556cc-zzmkj                                     1/1     Running     0          85m
rhcos4-pp-7c44999587-bckrn                                   1/1     Running     0          85m
test1-pp-6588d99d8f-pvkr2                                    1/1     Running     0          2m58s
worker-scan-ip-10-0-150-92.us-east-2.compute.internal-pod    0/2     Completed   0          21m
worker-scan-ip-10-0-177-228.us-east-2.compute.internal-pod   0/2     Completed   0          21m
worker-scan-ip-10-0-219-103.us-east-2.compute.internal-pod   0/2     Completed   0          21m


$ oc get profilebundles
NAME     CONTENTIMAGE                                                                                                    STATUS
ocp4     quay.io/complianceascode/ocp4:latest                                                                            VALID
rhcos4   quay.io/complianceascode/ocp4:latest                                                                            VALID
test1    quay.io/jhrozek/ocp4-openscap-content@sha256:a1709f5150b17a9560a5732fe48a89f07bffc72c0832aa8c49ee5504510ae687   VALID


$ oc get profiles.compliance
NAME              AGE
ocp4-cis          85m
ocp4-e8           85m
ocp4-moderate     85m
ocp4-ncp          85m
rhcos4-e8         85m
rhcos4-moderate   85m
rhcos4-ncp        85m
test1-e8          3m15s
test1-moderate    3m15s
test1-ncp         3m15s

Comment 9 errata-xmlrpc 2020-10-27 16:23:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196

Note You need to log in before you can comment on or make changes to this bug.