Checking with these current branch tips: $ git --no-pager log --oneline -1 origin/release-4.8 bc15362e (origin/release-4.8) [release-4.8] Gather all MachineConfig definitions (#449) (#459) $ git --no-pager log --oneline -1 origin/release-4.9 b178f47f (HEAD -> master, origin/release-4.9, origin/release-4.10, origin/master, origin/HEAD) Insightsreport set corresponding clusteroperator condition correctly (#473) The 4.9 insights-operator-obfuscation-secret Role has the expected cluster profile annotations: $ git cat-file -p origin/release-4.9:manifests/03-clusterrole.yaml | yaml2json | jq '.[] | select(.kind == "Role" and .metadata.name == "insights-operator-obfuscation-secret").metadata' { "name": "insights-operator-obfuscation-secret", "namespace": "openshift-insights", "annotations": { "include.release.openshift.io/self-managed-high-availability": "true", "include.release.openshift.io/ibm-cloud-managed": "true", "include.release.openshift.io/single-node-developer": "true" } } But 4.8 does not: $ git cat-file -p origin/release-4.8:manifests/03-clusterrole.yaml | yaml2json | jq '.[] | select(.kind == "Role" and .metadata.name == "insights-operator-obfuscation-secret").metadata' { "name": "insights-operator-obfuscation-secret", "namespace": "openshift-insights" } The manifest appears to be new in 4.8, with no hits in 4.7: $ git cat-file -p origin/release-4.7:manifests/03-clusterrole.yaml | yaml2json | jq '.[] | select(.kind == "Role" and .metadata.name == "insights-operator-obfuscation-secret").metadata' ...no hits... Per the cluster profile enhancement [1], that results in the CVO ignoring the manifest in all cluster profiles. Looking at 4.8.2 -> 4.8.3 CI [2], the Role is indeed missing: $ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/release-openshift-origin-installer-launch-aws/1420413555873681408/artifacts/launch/roles.json | jq -r '.items[].metadata | select(.name == "insights-operator-obfuscation-secret")' ...no hits... The 4.9 history is fairly exciting, with [3] removing the Role entirely. [4] bringing the role back, but with a delete annotation (still no profile annotations, so the CVO ignores this). [5] adding the role with profile annotations, but keeping the separate entry with the delete annotation. And [6] removing the entry with the delete annotation, leaving just the role with profile annotations. I dunno if 4.8 cares about this Role or not; obviously if its absence caused serious issues, we would have had some complaints out of CI/QE. But keeping dead-code manifests around is just confusing, so we should either drop the entry entirely, or add profiles so the CVO manages it in clusters that need it. [1]: https://github.com/openshift/enhancements/blob/ce4d303db807622687159eb9d3248285a003fabb/enhancements/update/cluster-profiles.md [2]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-origin-installer-launch-aws/1420413555873681408 [3]: https://github.com/openshift/insights-operator/commit/c8e1838296b7d4fb00d79ed982cf062df029dbed [4]: https://github.com/openshift/insights-operator/commit/c6237c6417f9cdd1c527ac2012f394280622a7c5 [5]: https://github.com/openshift/insights-operator/commit/6e70054f6e433526942e900073ccc0862c4ce137 [6]: https://github.com/openshift/insights-operator/commit/b44b5443e353424042d96fd1b482dfc9c036429a
And I didn't walk the whole history, but as far as the branch tips go, the RoleBinding has the same issue: $ git cat-file -p 'origin/release-4.8:manifests/03-clusterrole.yaml' | yaml2json | jq '.[] | select(.kind == "RoleBinding" and .metadata.name == "insights-operator-obfuscation-secret").metadata' { "name": "insights-operator-obfuscation-secret", "namespace": "openshift-insights" } $ git cat-file -p 'origin/release-4.9:manifests/03-clusterrole.yaml' | yaml2json | jq '.[] | select(.kind == "RoleBinding" and .metadata.name == "insights-operator-obfuscation-secret").metadata' { "name": "insights-operator-obfuscation-secret", "namespace": "openshift-insights", "annotations": { "include.release.openshift.io/self-managed-high-availability": "true", "include.release.openshift.io/ibm-cloud-managed": "true", "include.release.openshift.io/single-node-developer": "true" } }
Thanks for the report and the analysis Trevor. Yeah the history shows our poor knowledge of RBAC and annotations usage. I believe this is covered with the "cryptic" https://bugzilla.redhat.com/show_bug.cgi?id=1977342 and https://github.com/openshift/insights-operator/pull/467. Anyway the annotations should be added in the 4.8 as well.
If it's easier to close this bug as a dup of bug 1977342, that's fine with me.
*** This bug has been marked as a duplicate of bug 1977342 ***