Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.14.0
Component/s: File Integrity Operator
Labels:
- regression

Severity:
Important
Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Links:

Description of problem:

A manual update for /hostroot/etc/kubernetes/kubelet-ca.crt was triggered . However, after the cert updated, two aide-ini pods will be created. and fileintegrity will be stuck in Initializing status.
$ oc get pod
NAME                                                  READY   STATUS RESTARTS    AGE
aide-example-fileintegrity-58b9n                      1/1  Running   0           123m
aide-example-fileintegrity-f5dn8                      1/1  Running   0           123m
aide-example-fileintegrity-fhmhj                      1/1  Running   0           123m
aide-example-fileintegrity-gwx5r                      1/1  Running   0           123m
aide-example-fileintegrity-j9w7b                      1/1  Running   0           123m
aide-example-fileintegrity-vxqfd                      1/1  Running   0           123m
aide-inicc88032f6aa4ca2272e99348e02a35105f67c333-gzzxk   1/1  Running   0           38m
aide-inid463818231cfd558a56aaea6945e7be3db7f71b7-pttf9   1/1  Running   0           38m
file-integrity-operator-857f87b577-nfg7t              1/1  Running   1 (140m ago)   140m
$ oc get fileintegrity example-fileintegrity -o=jsonpath={.status.phase}
Initializing
Error message in operator log:
{"level":"error","ts":"2023-06-19T07:42:31Z","logger":"controller_fileintegrity","msg":"error handling update conflict configMap","Request.Namespace":"openshift-file-integrity","Request.Name":"example-fileintegrity","error":"ConfigMap \"example-fileintegrity-update-conflict-cm\" is invalid: data[file-integrity.openshift.io/remove-node]: Invalid value: \"file-integrity.openshift.io/remove-node\": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')","stacktrace":"github.com/openshift/file-integrity-operator/pkg/controller/fileintegrity.(*FileIntegrityReconciler).FileIntegrityControllerReconcile\n\t/go/src/github.com/openshift/file-integrity-operator/pkg/controller/fileintegrity/fileintegrity_controller.go:548\ngithub.com/openshift/file-integrity-operator/pkg/controller/fileintegrity.(*FileIntegrityReconciler).Reconcile\n\t/go/src/github.com/openshift/file-integrity-operator/pkg/controller/fileintegrity/setup.go:66\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:118\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:314\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:226"}
{"level":"error","ts":"2023-06-19T07:42:31Z","msg":"Reconciler error","controller":"fileintegrity-controller","controllerGroup":"fileintegrity.openshift.io","controllerKind":"FileIntegrity","FileIntegrity":{"name":"example-fileintegrity","namespace":"openshift-file-integrity"},"namespace":"openshift-file-integrity","name":"example-fileintegrity","reconcileID":"10591dbd-0bfd-42d3-9fe5-f83bbcf7a3cc","error":"ConfigMap \"example-fileintegrity-update-conflict-cm\" is invalid: data[file-integrity.openshift.io/remove-node]: Invalid value: \"file-integrity.openshift.io/remove-node\": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:226"}
{"level":"error","ts":"2023-06-19T07:42:52Z","logger":"controller_fileintegrity","msg":"error handling update conflict configMap","Request.Namespace":"openshift-file-integrity","Request.Name":"example-fileintegrity","error":"ConfigMap \"example-fileintegrity-update-conflict-cm\" is invalid: data[file-integrity.openshift.io/remove-node]: Invalid value: \"file-integrity.openshift.io/remove-node\": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')","stacktrace":"github.com/openshift/file-integrity-operator/pkg/controller/fileintegrity.(*FileIntegrityReconciler).FileIntegrityControllerReconcile\n\t/go/src/github.com/openshift/file-integrity-operator/pkg/controller/fileintegrity/fileintegrity_controller.go:548\ngithub.com/openshift/file-integrity-operator/pkg/controller/fileintegrity.(*FileIntegrityReconciler).Reconcile\n\t/go/src/github.com/openshift/file-integrity-operator/pkg/controller/fileintegrity/setup.go:66\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:118\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:314\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:226"}
{"level":"error","ts":"2023-06-19T07:42:52Z","msg":"Reconciler error","controller":"fileintegrity-controller","controllerGroup":"fileintegrity.openshift.io","controllerKind":"FileIntegrity","FileIntegrity":{"name":"example-fileintegrity","namespace":"openshift-file-integrity"},"namespace":"openshift-file-integrity","name":"example-fileintegrity","reconcileID":"846a8c96-7490-4918-9afc-057916309185","error":"ConfigMap \"example-fileintegrity-update-conflict-cm\" is invalid: data[file-integrity.openshift.io/remove-node]: Invalid value: \"file-integrity.openshift.io/remove-node\": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:226"}
{"level":"error","ts":"2023-06-19T07:42:53Z","logger":"controller_fileintegrity","msg":"error handling update conflict configMap","Request.Namespace":"openshift-file-integrity","Request.Name":"example-fileintegrity","error":"ConfigMap \"example-fileintegrity-update-conflict-cm\" is invalid: data[file-integrity.openshift.io/remove-node]: Invalid value: \"file-integrity.openshift.io/remove-node\": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')","stacktrace":"github.com/openshift/file-integrity-operator/pkg/controller/fileintegrity.(*FileIntegrityReconciler).FileIntegrityControllerReconcile\n\t/go/src/github.com/openshift/file-integrity-operator/pkg/controller/fileintegrity/fileintegrity_controller.go:548\ngithub.com/openshift/file-integrity-operator/pkg/controller/fileintegrity.(*FileIntegrityReconciler).Reconcile\n\t/go/src/github.com/openshift/file-integrity-operator/pkg/controller/fileintegrity/setup.go:66\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:118\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:314\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:226"}
{"level":"error","ts":"2023-06-19T07:42:53Z","msg":"Reconciler error","controller":"fileintegrity-controller","controllerGroup":"fileintegrity.openshift.io","controllerKind":"FileIntegrity","FileIntegrity":{"name":"example-fileintegrity","namespace":"openshift-file-integrity"},"namespace":"openshift-file-integrity","name":"example-fileintegrity","reconcileID":"ee2b5794-79fc-4cc5-a900-9b14b2c560b4","error":"ConfigMap \"example-fileintegrity-update-conflict-cm\" is invalid: data[file-integrity.openshift.io/remove-node]: Invalid value: \"file-integrity.openshift.io/remove-node\": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name',  or 'KEY_NAME',  or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/src/github.com/openshift/file-integrity-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:226"}

Version-Release number of selected component (if applicable):

FIO v1.3.0

How reproducible:

Always

Steps to Reproduce:

1. Install FIO 
2. Create a fileinegritynodestatus

$oc apply -f -<<EOF
apiVersion: fileintegrity.openshift.io/v1alpha1
kind: FileIntegrity
metadata:
  name: example-fileintegrity
spec:
  config:
    gracePeriod: 90
    maxBackups: 5
  debug: debug
EOF

3. Wait until the fileintegirynodestatus ready for each node 
4. Trigger a manual update for /hostroot/etc/kubernetes/kubelet-ca.crt

Actual results:

After the cert is updated, two aide-ini pods will be created. Then fileintegrity will be stuck in Initializing status.Detailed error message seen from the description

Expected results:

After the cert is updated, the fileintegrity should not stuck in Initializing status. The fileintegritynodestatus won’t become failure because of the cert for /hostroot/etc/kubernetes/kubelet-ca.crt was updated

Additional info:

mentioned on

Merge request - Updated US source to: 28f6567 Release v1.3.1

Assignee:: Vincent Shen

Reporter:: Xiaojie Yuan

QA Contact:: Bhargavi Gudi

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/06/20 5:26 AM

Updated:: 2023/08/21 2:16 AM

Resolved:: 2023/08/21 2:16 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates