1904583 – Operator upgrades can delete existing CSV before completion

Bug 1904583 - Operator upgrades can delete existing CSV before completion

Summary: Operator upgrades can delete existing CSV before completion

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	OLM
Sub Component:
Version:	4.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.6.z
Assignee:	Vu Dinh
QA Contact:	Jian Zhang
Docs Contact:
URL:
Whiteboard:
Depends On:	1857877 1947946
Blocks:	1904584
TreeView+	depends on / blocked

Reported:	2020-12-04 20:35 UTC by OpenShift BugZilla Robot
Modified:	2021-04-09 14:56 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-12-21 13:24:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	operator-framework operator-lifecycle-manager pull 1890	0	None	closed	Bug 1904583: Check sa owner 46	2021-02-15 08:49:44 UTC
Red Hat Product Errata	RHSA-2020:5614	0	None	None	None	2020-12-21 13:24:47 UTC

Comment 2 Jian Zhang 2020-12-14 03:06:43 UTC

Cluster version is 4.6.0-0.nightly-2020-12-14-015205
[root@preserve-olm-env data]# oc -n openshift-operator-lifecycle-manager exec catalog-operator-6bc7d9ff89-rnszx -- olm --version
OLM version: 0.16.1
git commit: fe32277830b3dc086e014c0e3391de671e5f49f4

1, Consume this special CatalogSource image.
[root@preserve-olm-env data]# cat cs-etcd.yaml 
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: etcd-test
  namespace: openshift-marketplace
spec:
  displayName: Jian Test
  publisher: Jian
  sourceType: grpc
  image: quay.io/olmqe/etcd-index:0.9.4-sa
  updateStrategy:
    registryPoll:
      interval: 10m
[root@preserve-olm-env data]# 
[root@preserve-olm-env data]# oc create -f cs-etcd.yaml 
catalogsource.operators.coreos.com/etcd-test created

[root@preserve-olm-env data]# oc get catalogsource -n openshift-marketplace
NAME                  DISPLAY               TYPE   PUBLISHER   AGE
...
etcd-test             Jian Test             grpc   Jian        60s
...

2, subscribe to the etcd operator with manual approval.

[root@preserve-olm-env data]# cat og.yaml 
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: test-og
  namespace: default
spec:
  targetNamespaces:
  - default
[root@preserve-olm-env data]# oc create -f og.yaml 
operatorgroup.operators.coreos.com/test-og created
[root@preserve-olm-env data]# cat sub-0.9.2.yaml 
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: etcd-sub
  namespace: default
spec:
  installPlanApproval: Manual
  channel: alpha
  name: etcd
  source: etcd-test
  sourceNamespace: openshift-marketplace
  startingCSV: etcdoperator.v0.9.2
[root@preserve-olm-env data]# oc create -f sub-0.9.2.yaml 
subscription.operators.coreos.com/etcd-sub created

[root@preserve-olm-env data]# oc get sub -n default
NAME       PACKAGE   SOURCE      CHANNEL
etcd-sub   etcd      etcd-test   alpha
[root@preserve-olm-env data]# oc get ip -n default
NAME            CSV                   APPROVAL   APPROVED
install-542hf   etcdoperator.v0.9.2   Manual     false
[root@preserve-olm-env data]# oc get csv -n default
No resources found in default namespace.


3, Approve etcdoperator.v0.9.2
[root@preserve-olm-env data]# oc get csv
NAME                  DISPLAY   VERSION   REPLACES   PHASE
etcdoperator.v0.9.2   etcd      0.9.2                Succeeded
[root@preserve-olm-env data]# oc get ip
NAME            CSV                   APPROVAL   APPROVED
install-542hf   etcdoperator.v0.9.2   Manual     true
install-lj5k7   etcdoperator.v0.9.4   Manual     false

4, Approve etcdoperator.v0.9.4
[root@preserve-olm-env data]# oc get ip
NAME            CSV                   APPROVAL   APPROVED
install-542hf   etcdoperator.v0.9.2   Manual     true
install-lj5k7   etcdoperator.v0.9.4   Manual     true
[root@preserve-olm-env data]# oc get csv
NAME                  DISPLAY   VERSION   REPLACES              PHASE
etcdoperator.v0.9.2   etcd      0.9.2                           Replacing
etcdoperator.v0.9.4   etcd      0.9.4     etcdoperator.v0.9.2   Pending
[root@preserve-olm-env data]# oc get sa
NAME            SECRETS   AGE
builder         2         41m
default         2         51m
deployer        2         41m
etcd-operator   2         2m34s


5, The sa still exist and the owner is v0.9.2 csv.
[root@preserve-olm-env data]# oc get sa etcd-operator -o yaml
apiVersion: v1
imagePullSecrets:
  name: etcd-operator
  namespace: default
  ownerReferences:
  - apiVersion: operators.coreos.com/v1alpha1
    blockOwnerDeletion: false
    controller: false
    kind: ClusterServiceVersion
    name: etcdoperator.v0.9.2
    uid: c99f5618-0f1c-449b-9066-ba79ca48d31b
  resourceVersion: "32632"

The error info is "Service account is not owned by this ClusterServiceVersion", LGTM. Verify it.
[root@preserve-olm-env data]# oc get sa etcd-operator -o yaml
apiVersion: v1
imagePullSecrets:
- name: etcd-operator-dockercfg-9d9bk
kind: ServiceAccount
...
  - group: ""
    kind: ServiceAccount
    message: Service account is not owned by this ClusterServiceVersion
    name: etcd-operator
    status: PresentNotSatisfied
    version: v1

Comment 5 errata-xmlrpc 2020-12-21 13:24:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.6.9 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5614

Note You need to log in before you can comment on or make changes to this bug.