Bug 2143716 - [4.13]VMExport: fix DV Error message when trying to import without certConfigMap and secretExtraHeaders
Summary: [4.13]VMExport: fix DV Error message when trying to import without certConfig...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Storage
Version: 4.12.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.13.0
Assignee: Álvaro Romero
QA Contact: Jenia Peimer
URL:
Whiteboard:
Depends On:
Blocks: 2168231
TreeView+ depends on / blocked
 
Reported: 2022-11-17 16:13 UTC by Jenia Peimer
Modified: 2023-05-18 02:57 UTC (History)
2 users (show)

Fixed In Version: CNV-v4.13.0.rhel9-1540
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2168231 (view as bug list)
Environment:
Last Closed: 2023-05-18 02:55:41 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt containerized-data-importer pull 2573 0 None open Remove stack trace from PVC and DataVolume events in case of import error 2023-02-03 12:26:55 UTC
Red Hat Issue Tracker CNV-22601 0 None None None 2022-11-17 16:16:44 UTC
Red Hat Product Errata RHSA-2023:3205 0 None None None 2023-05-18 02:57:02 UTC

Description Jenia Peimer 2022-11-17 16:13:59 UTC 
Description of problem:
DV Error message when trying to import without secret-headers shouldn't contain the stack trace


Version-Release number of selected component (if applicable):
4.12.0-682

How reproducible:
Always

Steps to Reproduce:

1. Create a VM, Stop it

2. Create a VMExport without specifying the tokenSecretRef:

$ cat vmexport-vm.yaml 
apiVersion: export.kubevirt.io/v1alpha1
kind: VirtualMachineExport
metadata:
    name: export-vm-object
spec:
    source:
        apiGroup: "kubevirt.io"
        kind: VirtualMachine
        name: vm-cirros-source


3. See VMExport certs and links are populated:

$ oc get vmexport export-vm-object -oyaml


3. Create a target VM using an internal link, without specifying the certConfigMap and secretExtraHeaders:

$ cat vm-target-internal-raw.yaml
apiVersion: kubevirt.io/v1alpha3
kind: VirtualMachine
metadata:
  name: vm-cirros-target-1
  labels:
    kubevirt.io/vm: vm-cirros-target-1
spec:
  dataVolumeTemplates:
  - metadata:
      name: cirros-dv-target-1
    spec:
      storage:
        resources:
          requests:
            storage: 1Gi
        storageClassName: hostpath-csi-basic
      source:
        http:
          url: "https://virt-export-export-vm-object.default.svc/volumes/cirros-dv-source-ocs/disk.img"
          #     certConfigMap: "router-cert"
          #     secretExtraHeaders:
          #        - secret-headers
  running: true
  template:
    metadata:
      labels:
        kubevirt.io/vm: vm-cirros-target-1
    spec:
      domain:
        devices:
          disks:
          - disk:
              bus: virtio
            name: datavolumetarget
        machine:
          type: ""
        resources:
          requests:
            memory: 100M
      terminationGracePeriodSeconds: 0
      volumes:
      - dataVolume:
          name: cirros-dv-target-1
        name: datavolumetarget


Actual results:

$ oc get vm -A
NAMESPACE   NAME                   AGE   STATUS            READY
default     vm-cirros-source       41m   Stopped           False
default     vm-cirros-target-1     24m   DataVolumeError   False

$ oc describe dv cirros-dv-target-1 | grep Message
    Message:               PVC cirros-dv-target-1 Bound
    Message:               Unable to connect to http data source: Get "https://virt-export-export-vm-object.default.svc/volumes/cirros-dv-source-ocs/disk.img": x509: certificate signed by unknown authority HTTP request errored kubevirt.io/containerized-data-importer/pkg/importer.createHTTPReader   /remote-source/app/pkg/importer/http-datasource.go:326 kubevirt.io/containerized-data-importer/pkg/importer.NewHTTPDataSource   /remote-source/app/pkg/importer/http-datasource.go:100 main.newDataSource   /remote-source/app/cmd/cdi-importer/importer.go:255 main.handleImport   /remote-source/app/cmd/cdi-importer/importer.go:173 main.main   /remote-source/app/cmd/cdi-importer/importer.go:143 runtime.main   /usr/lib/golang/src/runtime/proc.go:250 runtime.goexit   /usr/lib/golang/src/runtime/asm_amd64.s:1594


Expected results:
The Error message shouldn't contain the stack trace
Comment 1 Yan Du 2022-11-23 13:00:15 UTC 
Alexander, could we improve the error message to enable user to fix the problem for themselves?
Comment 3 Yan Du 2023-02-01 13:11:22 UTC 
Alvaro, could you please take a look?
Comment 4 Álvaro Romero 2023-02-01 13:14:48 UTC 
@yadu sure!
Comment 5 Jenia Peimer 2023-02-21 13:08:15 UTC 
Verified on CNV-v4.13.0.rhel9-1540

The error message:

$ oc describe dv dv-vm-target | grep Message
    Message:               PVC dv-vm-target Bound
    Message:               Unable to connect to http data source: HTTP request errored: Get "https://virt-exportproxy-openshift-cnv.apps.c01-jp413-3.cnv-qe.rhcloud.com/api/export.kubevirt.io/v1alpha1/namespaces/default/virtualmachineexports/export-vm-object-hpp/volumes/cirros-dv-source-hpp/disk.img": x509: certificate signed by unknown authority
Comment 8 errata-xmlrpc 2023-05-18 02:55:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.13.0 Images security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:3205
Note You need to log in before you can comment on or make changes to this bug.