Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-2813

TALM may miss subscription NonCompliant after CatalogSource change

    XMLWordPrintable

Details

    • Moderate
    • CNF RAN Sprint 231, CNF RAN Sprint 232, CNF RAN Sprint 233
    • Hide

      None

      Show
      None
    • Hide
      After a catalog source update, it takes time for OLM to update the subscription status.
      This can mean that if you modify a catalog source policy in a ClusterGroupUpdate CR, a subscription policy in the same ClusterGroupUpdate CR is not remediated as its status has not had sufficient time to update and continues to show it as compliant.
      As a workaround, include a status check in the catalog source policy in the spec section.

      metadata:
        name: redhat-operators-disconnected
      spec:
        displayName: disconnected-redhat-operators
        image: registry.example.com:5000/disconnected-redhat-operators/disconnected-redhat-operator-index:v4.11
      status:
        connectionState:
          lastObservedState: READY

      This mitigates the delay for OLM to pull the new index image and get the pod ready, reducing the overall time between completion of catalog source policy remediation and the update of the subscription status. If the issue persists and the subscription policy status update is still late with the workaround, apply an identical ClusterGroupUpdate CR with a different name.
      Show
      After a catalog source update, it takes time for OLM to update the subscription status. This can mean that if you modify a catalog source policy in a ClusterGroupUpdate CR, a subscription policy in the same ClusterGroupUpdate CR is not remediated as its status has not had sufficient time to update and continues to show it as compliant. As a workaround, include a status check in the catalog source policy in the spec section. metadata:   name: redhat-operators-disconnected spec:   displayName: disconnected-redhat-operators   image: registry.example.com:5000/disconnected-redhat-operators/disconnected-redhat-operator-index:v4.11 status:   connectionState:     lastObservedState: READY This mitigates the delay for OLM to pull the new index image and get the pod ready, reducing the overall time between completion of catalog source policy remediation and the update of the subscription status. If the issue persists and the subscription policy status update is still late with the workaround, apply an identical ClusterGroupUpdate CR with a different name.
    • Known Issue
    • In Progress
    • Rel Note for Telco: Yes

    Description

      When using TALM to update OLM Operators and the CatalogSource in the same CGU, the NonCompliant state of the subscriptions may be set too late, resulting in TALM completing the update and removing the enforce policy before the Operators are actually updated.

      Updating Operators, including a change to the CatalogSource, involves 2 policies. The common-config policy updates the CatalogSource (eg changing index to point to an updated index with new content). The new CatalogSource enables the Subscriptions to see an updated version and change their status to "UpgradePending". This status change is what will set the common-subscription Policy to NonCompliant.

      There is a non-trivial amount of time between changing the CatalogSource and the Subscriptions updating their status. Much of this time (but not all) is the index pod being pulled and run by OLM. 

      A mitigation for this issue is to add a status check to the CatalogSource Policy to ensure that it is ready, indicating the pod has been pulled and is running. The status section in this example is the mitigation:

          - fileName: DefaultCatsrc.yaml
      policyName: "config-policy"
      metadata:
        name: redhat-operators-disconnected
      spec:
        displayName: disconnected-redhat-operators
        image: registry.example.com:5000/disconnected-redhat-operators/disconnected-redhat-operator-index:v4.11
      status:
        connectionState:
          lastObservedState: READY

      Attachments

        Issue Links

          is blocked by

          Feature Request - Feature requests from customers and/or users RFE-3846 CRs managed by OLM missing 'observedGeneration' in status

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Backlog
          is related to

          Bug - A problem which impairs or prevents the functions of the product. OCPBUGS-2812 TALM does not enforce subscriptions when catalogsource is updated and both policies are in the same CGU

          • Undefined - Priority not specified.
          • Verified
          relates to

          Bug - A problem which impairs or prevents the functions of the product. OCPBUGS-7540 TALM may miss MCP reconcile after change to PerformanceProfile or operator upgrade

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Task - A task that needs to be done. ACM-3097 Design an ACM policy type for operator installation management

          • Undefined - Priority not specified.
          • In Progress

          Activity

            People

              jche@redhat.com Jun Chen
              rhn-support-imiller Ian Miller
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: