Bug 1956606 - probes FlowSchema manifest not included in any cluster profile
Summary: probes FlowSchema manifest not included in any cluster profile
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.8.0
Assignee: Abu Kashem
QA Contact: Ke Wang
URL:
Whiteboard:
Depends On: 1927397
Blocks: 1948703
TreeView+ depends on / blocked
 
Reported: 2021-05-04 04:08 UTC by W. Trevor King
Modified: 2021-07-27 23:06 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 23:05:53 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 1099 0 None closed Bug 1956606: Revert "Merge pull request #1060" (Use the flow schema introduced in upstream) 2021-06-03 18:38:26 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:06:24 UTC

Description W. Trevor King 2021-05-04 04:08:50 UTC
Investigating 4.8.0-fc.2:

$ oc adm release extract --to manifests quay.io/openshift-release-dev/ocp-release:4.8.0-fc.2-x86_64
$ for X in manifests/*.yaml; do ENTRIES="$(yaml2json < "${X}" | jq -r '.[].metadata | select((.annotations // {}) | keys | tostring | contains("include.release.openshift.io/") | not) | .namespace + " " + .name + " " + (.annotations | tostring)')"; if test -
n "${ENTRIES}"; then echo "${X}"; echo "${ENTRIES}"; fi done
manifests/0000_20_kube-apiserver-operator_08_flowschema.yaml
 probes null
...

That entry is [1], from [2].  Without the profile annotations, the CVO will never push it into the cluster.  No sense in keeping the manifest around then.  This bug can be used to land [3].

[1]: https://github.com/openshift/cluster-kube-apiserver-operator/blob/c03c9edf5fddf4e3fb1bc6d7afcd2a2284ca03d8/manifests/0000_20_kube-apiserver-operator_08_flowschema.yaml#L81-L82
[2]: https://github.com/openshift/cluster-kube-apiserver-operator/pull/1060
[3]: https://github.com/openshift/cluster-kube-apiserver-operator/pull/1099

Comment 1 Abu Kashem 2021-05-05 15:38:27 UTC
We also have a dependency on https://bugzilla.redhat.com/show_bug.cgi?id=1927397

Comment 3 Ke Wang 2021-06-03 11:51:08 UTC
$ oc adm release extract --to manifests registry.ci.openshift.org/ocp/release:4.8.0-0.nightly-2021-06-03-055145

$ cd manifests

$ grep -A10 'name: probes' *kube-apiserver*.yaml
0000_20_kube-apiserver-operator_08_flowschema.yaml:  name: probes
0000_20_kube-apiserver-operator_08_flowschema.yaml-spec:
0000_20_kube-apiserver-operator_08_flowschema.yaml-  distinguisherMethod:
0000_20_kube-apiserver-operator_08_flowschema.yaml-    type: ByUser
0000_20_kube-apiserver-operator_08_flowschema.yaml-  matchingPrecedence: 2
0000_20_kube-apiserver-operator_08_flowschema.yaml-  priorityLevelConfiguration:
0000_20_kube-apiserver-operator_08_flowschema.yaml-    name: exempt
0000_20_kube-apiserver-operator_08_flowschema.yaml-  rules:
0000_20_kube-apiserver-operator_08_flowschema.yaml-    - nonResourceRules:
0000_20_kube-apiserver-operator_08_flowschema.yaml-        - nonResourceURLs:
0000_20_kube-apiserver-operator_08_flowschema.yaml-            - '/healthz'

The probes flowschema was already in, and the dependent bug 1927397 was verified, see https://bugzilla.redhat.com/show_bug.cgi?id=1927397#c7, so move the bug VERIFIED.

Comment 4 W. Trevor King 2021-06-03 18:52:01 UTC
The goal is to _not_ have the manifest anymore, since a manifest without cluster-profile annotations is useless.  But looks like the PR actually made it into the next nightly [1].  Confirming by applying the check from comment 0 to the new nightly:

$ oc adm release extract --to manifests registry.ci.openshift.org/ocp/release:4.8.0-0.nightly-2021-06-03-084005
Extracted release payload from digest sha256:3004ed7d5578c286481f40de3e420bf4773a1ffc6d75c8d7a9392db39655c5bd created at 2021-06-03T08:42:49Z
$ for X in manifests/*.yaml; do ENTRIES="$(yaml2json < "${X}" | jq -r '.[].metadata | select((.annotations // {}) | keys | tostring | contains("include.release.openshift.io/") | not) | .namespace + " " + .name + " " + (.annotations | tostring)')"; if test -n "${ENTRIES}"; then echo "${X}"; echo "${ENTRIES}"; fi done
manifests/0000_31_cluster-baremetal-operator_05_prometheus_rbac.yaml
  null
manifests/0000_31_cluster-baremetal-operator_05_rbac.yaml
  null
manifests/0000_90_cluster-baremetal-operator_03_servicemonitor.yaml
openshift-machine-api cluster-baremetal-operator-servicemonitor {"exclude.release.openshift.io/internal-openshift-hosted":"true"}

Those baremetal entries are bug 1956607.  So this bug is appropriately VERIFIED, but not for the reasons given in comment 3.

[1]: https://amd64.ocp.releases.ci.openshift.org/releasestream/4.8.0-0.nightly/release/4.8.0-0.nightly-2021-06-03-084005

Comment 7 errata-xmlrpc 2021-07-27 23:05:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.