Bug 1885398 - CSV with only Webhook conversion can't be installed
Summary: CSV with only Webhook conversion can't be installed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: 4.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.7.0
Assignee: Alexander Greene
QA Contact: Jian Zhang
URL:
Whiteboard:
Depends On:
Blocks: 1886448
TreeView+ depends on / blocked
 
Reported: 2020-10-05 19:42 UTC by Marcel Apfelbaum
Modified: 2022-11-28 03:35 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: When deploying an operator with an API Service, Conversion Webhook, or an Admission Webhook, OLM should retrieve the CA from an existing resource in order to calculate a CA Hash annotation. This annotation influences a Deployment Hash that OLM relies on to confirm that the deployment is installed correctly. OLM currently does not retrieve the CA from Conversion Webhooks, resulting in a bad Deployment Hash which causes OLM to attempt to reinstall the CSV. Consequence: If a CSV defines a Conversion Webhook but does not include an API Service or an Admission Webhook the CSV will cycle through the Pending, ReadyToInstall, and Installing phases indefinitely. Fix: OLM so it will use the existing Conversion Webhook to retrieve that value of the CA and correctly calculate the Deployment Hash. Result: OLM can now install CSVs that define a Conversion Webhook without an API Service or Admission Webhook.
Clone Of:
Environment:
Last Closed: 2021-02-24 15:23:10 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Proposed patch (1.32 KB, patch)
2020-10-05 19:46 UTC, Marcel Apfelbaum
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Github operator-framework operator-lifecycle-manager pull 1797 0 None closed Bug 1885398: Retrieve CA from conversion webhooks for CA Hash 2021-02-11 15:30:17 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:23:51 UTC

Description Marcel Apfelbaum 2020-10-05 19:42:35 UTC
Description of problem:
A CSV with only a Conversion Webhook and no other Mutating/Validating  Wenhooks can't be installed.
Installation will be stuck in the loop: ReadyToInstall ->Installing -> Pending -> ReadyToInstall

The only info in events is:
"calculated deployment install is bad"

Version-Release number of selected component (if applicable):
Latest

How reproducible:
100%

Steps to Reproduce:
1. Deploy an operator having a CSV only with a Webhook Conversion.


Additional info:
The root cause  is hidden by:
   https://github.com/operator-framework/operator-lifecycle-manager/blob/master/pkg/controller/operators/olm/operator.go#L1535
that hides the actual error.
In this case the cause was a missing flow in:
   https://github.com/operator-framework/operator-lifecycle-manager/blob/master/pkg/controller/operators/olm/apiservices.go#L264
It does not handle the desc.Type == v1alpha1.ConversionWebhook case.

Comment 1 Marcel Apfelbaum 2020-10-05 19:46:15 UTC
Created attachment 1719144 [details]
Proposed patch

Proposed by Alexander Greene
Verified by Marcel Apfelbaum

Comment 4 yhui 2020-10-20 16:54:24 UTC
Version:
[hui@localhost 1020]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2020-10-17-034503   True        False         10h     Cluster version is 4.7.0-0.nightly-2020-10-17-034503
[hui@localhost 1020]$ oc exec olm-operator-69b864f866-6sjj4 -n openshift-operator-lifecycle-manager -- olm --version
OLM version: 0.16.1
git commit: e2c0f2c47573ec5dfc509502881fa3dd8eb7bae9

Test procedure:
1. Download the latest example operators https://github.com/awgreene/webhook-operator/tree/olm.

2. Following the guide to install the operators using OLM.
[root@preserve-olm-env webhook-operator]# kubectl apply -f olm/ocp/install/00_catsrc.yaml
catalogsource.operators.coreos.com/webhook-operator-catalog created
[root@preserve-olm-env webhook-operator]# kubectl apply -f olm/ocp/install/01_sub.yaml
subscription.operators.coreos.com/webhook-operator-subscription created

3. Check the sub, csv and pods have been created successfully.
[root@preserve-olm-env webhook-operator]# oc get sub -n openshift-operators
NAME                            PACKAGE            SOURCE                     CHANNEL
webhook-operator-subscription   webhook-operator   webhook-operator-catalog   alpha
[root@preserve-olm-env webhook-operator]# oc get csv -n openshift-operators
NAME                      DISPLAY            VERSION   REPLACES   PHASE
webhook-operator.v0.0.1   Webhook Operator   0.0.1                Succeeded
[root@preserve-olm-env webhook-operator]# oc get pods -n openshift-operators
NAME                                        READY   STATUS    RESTARTS   AGE
webhook-operator-webhook-5598fb7797-m5rhp   2/2     Running   0          47m

4. Edit the CSV to remove validating and mutating webhooks. Only left conversion webhook.
[root@preserve-olm-env webhook-operator]# oc edit csv webhook-operator.v0.0.1 -n openshift-operators
clusterserviceversion.operators.coreos.com/webhook-operator.v0.0.1 edited

5. Delete the pods. Then the pods have been installed successfully again.
[root@preserve-olm-env webhook-operator]# oc get pods -n openshift-operators
NAME                                        READY   STATUS    RESTARTS   AGE
webhook-operator-webhook-5598fb7797-cmrx6   2/2     Running   0          18s

The operator having a CSV only with a Conversion webhook can be installed successfully.
Verify the bug on 4.7.0.

Comment 8 errata-xmlrpc 2021-02-24 15:23:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.