Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-6670

RC 1.16.0-17 - Redis HA Server StatefulSet SecurityContext Not Updated During Upgrade

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • Operator
    • 5
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      Before this update, the SecurityContextConstraints (SCC) changes introduced for Redis in version 1.16.0 were not properly applied to the Redis HA StatefulSet pods due to missing upgrade logic. With this update, the operator’s reconciliation logic has been enhanced to correctly handle and apply SCC changes to Redis HA pods during upgrades.
      Show
      Before this update, the SecurityContextConstraints (SCC) changes introduced for Redis in version 1.16.0 were not properly applied to the Redis HA StatefulSet pods due to missing upgrade logic. With this update, the operator’s reconciliation logic has been enhanced to correctly handle and apply SCC changes to Redis HA pods during upgrades.
    • 5
    • GitOps Crimson Sprint 13

      Description of Problem

      After upgrading from GitOps 1.15 to 1.16 the new configuration of the StatefulSet is not applied correctly. The redis-ha-server StatefulSet pods will not be updated with the new settings, causing them to retain old configurations.

      Additional Info

      • <Any additional info such as logs, must-gather outputs, etc.>

      Problem Reproduction

      • Upgrade from 1.15.0 to 1.16.0

      Reproducibility

      • Always

      Prerequisites/Environment

      • OCP

      Steps to Reproduce

      • Upgrade the operator from 1.15.0 to 1.16.0 by enabling HA

      Expected Results

      • HA server pods should be up

      Actual Results

      • HA pods have AUTH error in the events
      • The redis-ha-server StatefulSet pods will not be updated with the new settings, causing them to retain old configurations.

      Problem Analysis

      • After upgrading from GitOps 1.15 to 1.16, the redis service account in GitOps 1.16 is assigned lower SecurityContextConstraints (SCC) and the operator fails to update the securityContext of the redis-ha-server StatefulSet. As a result, the container's user is hardcoded instead of being randomly assigned as required by the restricted-v2 SCC. This prevents the new configuration of the StatefulSet from being applied correctly.

      Root Cause

      • No update logic for updating the SCC

      Workaround (If Possible)

      •  Manually delete the redis-ha-server StatefulSet to trigger a re-creation of the pods with the updated settings.

      Fix Approaches

      • <If we decide to fix this bug, how will we do it?>

      Acceptance Criteria

      • Expected result is met

      Definition of Done

      • Code Complete:
        • All code has been written, reviewed, and approved.
      • Tested:
        • Unit tests have been written and passed.
        • Ensure code coverage is not reduced with the changes.
        • Integration tests have been automated.
        • System tests have been conducted, and all critical bugs have been fixed.
        • Tested and merged on OpenShift either upstream or downstream on a local build.
      • Documentation:
        • User documentation or release notes have been written (if applicable).
      • Build:
        • Code has been successfully built and integrated into the main repository / project.
        • Midstream changes (if applicable) are done, reviewed, approved and merged.
      • Review:
        • Code has been peer-reviewed and meets coding standards.
        • All acceptance criteria defined in the user story have been met.
        • Tested by reviewer on OpenShift.
      • Deployment:
        • The feature has been deployed on OpenShift cluster for testing.

              rh-ee-mmeetei Mangaal Meetei
              rhn-support-vab Varsha B
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: