Bug 1991076 - insights-operator-obfuscation-secret role lacks cluster profile annotations
Summary: insights-operator-obfuscation-secret role lacks cluster profile annotations
Keywords:
Status: CLOSED DUPLICATE of bug 1977342
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Insights Operator
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.8.z
Assignee: Serhii Zakharov
QA Contact: Dmitry Misharov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-07 03:18 UTC by W. Trevor King
Modified: 2021-08-11 09:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-11 09:05:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description W. Trevor King 2021-08-07 03:18:35 UTC 
Checking with these current branch tips:

$ git --no-pager log --oneline -1 origin/release-4.8
bc15362e (origin/release-4.8) [release-4.8] Gather all MachineConfig definitions (#449) (#459)
$ git --no-pager log --oneline -1 origin/release-4.9
b178f47f (HEAD -> master, origin/release-4.9, origin/release-4.10, origin/master, origin/HEAD) Insightsreport set corresponding clusteroperator condition correctly (#473)

The 4.9 insights-operator-obfuscation-secret Role has the expected cluster profile annotations:

$ git cat-file -p origin/release-4.9:manifests/03-clusterrole.yaml | yaml2json | jq '.[] | select(.kind == "Role" and .metadata.name == "insights-operator-obfuscation-secret").metadata'
{
  "name": "insights-operator-obfuscation-secret",
  "namespace": "openshift-insights",
  "annotations": {
    "include.release.openshift.io/self-managed-high-availability": "true",
    "include.release.openshift.io/ibm-cloud-managed": "true",
    "include.release.openshift.io/single-node-developer": "true"
  }
}

But 4.8 does not:

$ git cat-file -p origin/release-4.8:manifests/03-clusterrole.yaml | yaml2json | jq '.[] | select(.kind == "Role" and .metadata.name == "insights-operator-obfuscation-secret").metadata'
{
  "name": "insights-operator-obfuscation-secret",
  "namespace": "openshift-insights"
}

The manifest appears to be new in 4.8, with no hits in 4.7:

$ git cat-file -p origin/release-4.7:manifests/03-clusterrole.yaml | yaml2json | jq '.[] | select(.kind == "Role" and .metadata.name == "insights-operator-obfuscation-secret").metadata'
...no hits...

Per the cluster profile enhancement [1], that results in the CVO ignoring the manifest in all cluster profiles.  Looking at 4.8.2 -> 4.8.3 CI [2], the Role is indeed missing:

$ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/release-openshift-origin-installer-launch-aws/1420413555873681408/artifacts/launch/roles.json | jq -r '.items[].metadata | select(.name == "insights-operator-obfuscation-secret")'
...no hits...

The 4.9 history is fairly exciting, with [3] removing the Role entirely.  [4]
bringing the role back, but with a delete annotation (still no profile annotations, so the CVO ignores this).  [5] adding the role with profile annotations, but keeping the separate entry with the delete annotation.  And [6] removing the entry with the delete annotation, leaving just the role with profile annotations.

I dunno if 4.8 cares about this Role or not; obviously if its absence caused serious issues, we would have had some complaints out of CI/QE.  But keeping dead-code manifests around is just confusing, so we should either drop the entry entirely, or add profiles so the CVO manages it in clusters that need it.

[1]: https://github.com/openshift/enhancements/blob/ce4d303db807622687159eb9d3248285a003fabb/enhancements/update/cluster-profiles.md
[2]: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-origin-installer-launch-aws/1420413555873681408
[3]: https://github.com/openshift/insights-operator/commit/c8e1838296b7d4fb00d79ed982cf062df029dbed
[4]: https://github.com/openshift/insights-operator/commit/c6237c6417f9cdd1c527ac2012f394280622a7c5
[5]: https://github.com/openshift/insights-operator/commit/6e70054f6e433526942e900073ccc0862c4ce137
[6]: https://github.com/openshift/insights-operator/commit/b44b5443e353424042d96fd1b482dfc9c036429a
Comment 1 W. Trevor King 2021-08-07 03:20:34 UTC 
And I didn't walk the whole history, but as far as the branch tips go, the RoleBinding has the same issue:

$ git cat-file -p 'origin/release-4.8:manifests/03-clusterrole.yaml' | yaml2json | jq '.[] | select(.kind == "RoleBinding" and .metadata.name == "insights-operator-obfuscation-secret").metadata'
{
  "name": "insights-operator-obfuscation-secret",
  "namespace": "openshift-insights"
}
$ git cat-file -p 'origin/release-4.9:manifests/03-clusterrole.yaml' | yaml2json | jq '.[] | select(.kind == "RoleBinding" and .metadata.name == "insights-operator-obfuscation-secret").metadata'
{
  "name": "insights-operator-obfuscation-secret",
  "namespace": "openshift-insights",
  "annotations": {
    "include.release.openshift.io/self-managed-high-availability": "true",
    "include.release.openshift.io/ibm-cloud-managed": "true",
    "include.release.openshift.io/single-node-developer": "true"
  }
}
Comment 2 Tomas Remes 2021-08-09 07:35:50 UTC 
Thanks for the report and the analysis Trevor. Yeah the history shows our poor knowledge of RBAC and annotations usage. I believe this is covered with the "cryptic" https://bugzilla.redhat.com/show_bug.cgi?id=1977342 and https://github.com/openshift/insights-operator/pull/467. Anyway the annotations should be added in the 4.8 as well.
Comment 3 W. Trevor King 2021-08-09 19:07:58 UTC 
If it's easier to close this bug as a dup of bug 1977342, that's fine with me.
Comment 4 Serhii Zakharov 2021-08-11 09:05:54 UTC 

*** This bug has been marked as a duplicate of bug 1977342 ***
Note You need to log in before you can comment on or make changes to this bug.