Description of problem: Operator Authors can create CSVs that define Webhooks with containerPorts set outside the range of 0-65535, which prevents the ValidatingWebhookConfiguration or MutatingWebhookConfiguration from being created due to failed validation. Version-Release number of selected component (if applicable): 4.6.0 How reproducible: Always Steps to Reproduce: 1.Install a CSV that defines a webhook whose containerPort value is less than 0 or greater than 65535. Actual results: Validating / mutating webhook is not created, CSV rotates through different install phases. Expected results: The webhook is installed correctly and the operator reaches the succeeded phase. Additional info:
Example OLM Failure Log: ``` time="2020-10-27T14:02:12Z" level=error msg="Webhooks: Error creating MutatingWebhookConfiguration: MutatingWebhookConfiguration.admissionregistration.k8s.io \"mopentelemetrycollector.kb.io-gtbpc\" is invalid: webhooks[0].clientConfig.service.port: Invalid value: 0: port is not valid: must be between 1 and 65535, inclusive" ```
Version: [root@preserve-olm-env 1891898]# oc version Client Version: 4.6.0-rc.4 Server Version: 4.7.0-0.nightly-2020-11-04-224753 Kubernetes Version: v1.19.2+6bd0f34 [root@preserve-olm-env 1891898]# oc exec olm-operator-96859b4c-j4w6g -n openshift-operator-lifecycle-manager -- olm --version OLM version: 0.17.0 git commit: 594996a0f09040c56312fdb8c9321284529283fe Steps to test: 1, Create a new project [root@preserve-olm-env 1891898]# oc new-project test-operators Now using project "test-operators" on server "https://api.yhui-471.qe.devcluster.openshift.com:6443". 2, Create a operatorgroup in the new project. [root@preserve-olm-env 1891898]# cat og.yaml apiVersion: operators.coreos.com/v1alpha2 kind: OperatorGroup metadata: name: hui-og namespace: test-operators spec: targetNamespaces: - test-operators [root@preserve-olm-env 1891898]# oc create -f og.yaml operatorgroup.operators.coreos.com/hui-og created 3, Prepare a CSV yaml file. The containerPort is set to 0. 4, Install the CSV. [root@preserve-olm-env 1891898]# oc apply -f csv.yaml The ClusterServiceVersion "webhook.v1.0.0" is invalid: spec.webhookdefinitions.containerPort: Invalid value: 1: spec.webhookdefinitions.containerPort in body should be greater than or equal to 1 The CSV cannot be created. This is what we expected. But I think the information should be modified. Invalid value: 1 -> Invalid value: 0 5, Prepare a CSV yaml file. The containerPort is set to 65536. 6, Install the CSV. [root@preserve-olm-env 1891898]# oc apply -f csv.yaml The ClusterServiceVersion "webhook.v1.0.0" is invalid: spec.webhookdefinitions.containerPort: Invalid value: 65535: spec.webhookdefinitions.containerPort in body should be less than or equal to 65535 The CSV cannot be created. This is what we expected. But I think the information should be modified. Invalid value: 65535 -> Invalid value: 65536 "Invalid value" should be changed to actual value which set in the CSV yaml file. This should be modified. Assigned the bug.
@yhui the error messages you received when creating the CSV are defaults defined in the CSV and are not controlled by the OLM team - we cannot change these messages. I am placing this ticket back on QE.
Sorry - I meant to say that min/max values are defined by fields in the CSV's CRD, OLM does not generate these messages sent to the user when a value is provided that is not within the defined range.
Version: [root@preserve-olm-env ~]# oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-0.nightly-2020-11-10-023606 True False 23m Cluster version is 4.7.0-0.nightly-2020-11-10-023606 [root@preserve-olm-env ~]# oc exec olm-operator-67c77688f7-5q4q7 -n openshift-operator-lifecycle-manager -- olm --version OLM version: 0.17.0 git commit: 161c86b215ceae325d7bf8f7f351406a0303ca27 Steps to test: 1, Create a new project [root@preserve-olm-env 1891898]# oc new-project test-operators Now using project "test-operators" on server "https://api.knarra1110.qe.devcluster.openshift.com:6443". 2, Create a operatorgroup in the new project. [root@preserve-olm-env 1891898]# cat og.yaml apiVersion: operators.coreos.com/v1alpha2 kind: OperatorGroup metadata: name: hui-og namespace: test-operators spec: targetNamespaces: - test-operators [root@preserve-olm-env 1891898]# oc create -f og.yaml operatorgroup.operators.coreos.com/hui-og created 3, Prepare a CSV yaml file. The containerPort is set to 0. 4, Install the CSV. [root@preserve-olm-env 1891898]# oc apply -f csv.yaml The ClusterServiceVersion "webhook.v1.0.0" is invalid: spec.webhookdefinitions.containerPort: Invalid value: 1: spec.webhookdefinitions.containerPort in body should be greater than or equal to 1 The CSV cannot be created. This is what we expected. 5, Prepare a CSV yaml file. The containerPort is set to 65536. 6, Install the CSV. [root@preserve-olm-env 1891898]# oc apply -f csv.yaml The ClusterServiceVersion "webhook.v1.0.0" is invalid: spec.webhookdefinitions.containerPort: Invalid value: 65535: spec.webhookdefinitions.containerPort in body should be less than or equal to 65535 The CSV cannot be created. This is what we expected. Verify the bug.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633