Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-14994

Ingress operator attempts spurious deletes of the client CA configmap when deleting an IngressController that has a client TLS configured

    XMLWordPrintable

Details

    • Low
    • No
    • Sprint 237, Sprint 238, Sprint 239, Sprint 240, Sprint 241, Sprint 242, Sprint 243, Sprint 244
    • 8
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, when an IngressController was configured with client SSL/TLS, but did not have the `clientca-configmap` finalizer, the Ingress Operator would try to add the finalizer without checking whether the IngressController was marked for deletion. Consequently, if an IngressController was configured with client SSL/TLS and was subsequently deleted, the Operator would correctly remove the finalizer. It would then repeatedly, and erroneously, try and fail to update the IngressController to add the finalizer back, resulting in error messages in the Operator's logs.
      +
      With this update, the Ingress Operator no longer adds the `clientca-configmap` finalizer to an IngressController that is marked for deletion. As a result, the Ingress Operator no longer tries to perform erroneous updates, and no longer logs the associated errors. (link:https://issues.redhat.com/browse/OCPBUGS-14994[*OCPBUGS-14994*])

      Original CCFR:

      Cause: If an IngressController was configured with client TLS and didn't have the "clientca-configmap" finalizer, the Ingress Operator would try to add the finalizer without checking whether the IngressController was marked for deletion.

      Consequence: If an IngressController was configured with client TLS and subsequently deleted, the Operator would correctly remove the finalizer and then repeatedly erroneously try and fail to update the IngressController to re-add the finalizer, resulting in error messages in the Operator's logs.

      Fix: The Ingress Operator no longer adds the "clientca-configmap" finalizer to an IngressController that is marked for deletion.

      Result: The Operator no longer tries to perform these spurious updates and no longer logs the associated errors.
      Show
      * Previously, when an IngressController was configured with client SSL/TLS, but did not have the `clientca-configmap` finalizer, the Ingress Operator would try to add the finalizer without checking whether the IngressController was marked for deletion. Consequently, if an IngressController was configured with client SSL/TLS and was subsequently deleted, the Operator would correctly remove the finalizer. It would then repeatedly, and erroneously, try and fail to update the IngressController to add the finalizer back, resulting in error messages in the Operator's logs. + With this update, the Ingress Operator no longer adds the `clientca-configmap` finalizer to an IngressController that is marked for deletion. As a result, the Ingress Operator no longer tries to perform erroneous updates, and no longer logs the associated errors. (link: https://issues.redhat.com/browse/OCPBUGS-14994 [* OCPBUGS-14994 *]) Original CCFR: Cause: If an IngressController was configured with client TLS and didn't have the "clientca-configmap" finalizer, the Ingress Operator would try to add the finalizer without checking whether the IngressController was marked for deletion. Consequence: If an IngressController was configured with client TLS and subsequently deleted, the Operator would correctly remove the finalizer and then repeatedly erroneously try and fail to update the IngressController to re-add the finalizer, resulting in error messages in the Operator's logs. Fix: The Ingress Operator no longer adds the "clientca-configmap" finalizer to an IngressController that is marked for deletion. Result: The Operator no longer tries to perform these spurious updates and no longer logs the associated errors.
    • Bug Fix
    • Done

    Description

      Description of problem

      When the ingress operator's clientca-configmap controller reconciles an IngressController, this controller attempts to add a finalizer to the IngressController if that finalizer is absent. This controller erroneously attempts to add the missing finalizer even if the IngressController is marked for deletion, which results in an error. This error causes the controller to retry the deletion and log the error multiple times.

      Version-Release number of selected component (if applicable)

      I observed this in CI for OCP 4.14 and was able to reproduce it on 4.11.37, and it probably affects earlier versions as well. The problematic code was added in https://github.com/openshift/cluster-ingress-operator/pull/450/commits/0f36470250c3089769867ebd72e25c413a29cda2 in OCP 4.9 to implement NE-323.

      How reproducible

      Easily.

      Steps to Reproduce

      1. Create a configmap in the "openshift-config" namespace (to reproduce this issue, it is not necessary that the configmap have a valid TLS certificate and key):

      oc -n openshift-config create configmap client-ca-cert

      2. Create an IngressController that specifies spec.clientTLS.clientCA.name to point to the configmap from the previous step:

      oc create -f - <<EOF
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: test-client-ca-configmap
  namespace: openshift-ingress-operator
spec:
  domain: example.xyz
  endpointPublishingStrategy:
    type: Private
  clientTLS:
    clientCA:
      name: client-ca-cert
    clientCertificatePolicy: Required
EOF

      3. Delete the IngressController:

      oc -n openshift-ingress-operator delete ingresscontrollers/test-client-ca-configmap

      4. Check the ingress operator's logs:

      oc -n openshift-ingress-operator logs -c ingress-operator deployments/ingress-operator

      Actual results

      The ingress operator logs several attempts to add the finalizer to the IngressController after it has been marked for deletion:

      2023-06-15T02:17:12.419Z        ERROR   operator.init   controller/controller.go:273    Reconciler error        {"controller": "clientca_configmap_controller", "object": {"name":"test-client-ca-configmap","namespace":"openshift-ingress-operator"}, "namespace": "openshift-ingress-operator", "name": "test-client-ca-configmap", "reconcileID": "2274f55e-e5bd-4fdb-973e-821a44cf2ebf", "error": "failed to add client-ca-configmap finalizer: IngressController.operator.openshift.io \"test-client-ca-configmap\" is invalid: metadata.finalizers: Forbidden: no new finalizers can be added if the object is being deleted, found new finalizers []string{\"ingresscontroller.operator.openshift.io/finalizer-clientca-configmap\"}"}

      The deletion does succeed, errors notwithstanding.

      Expected results

      The ingress operator should succeed in deleting the IngressController without attempting to re-add the finalizer to the IngressController after it has been marked for deletion.

      Attachments

        Activity

          People

            mmasters1@redhat.com Miciah Masters
            mmasters1@redhat.com Miciah Masters
            Shudi Li Shudi Li
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: