Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: None
Affects Version/s: 4.18.0, 4.19.0
Component/s: OLM
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:

4.18.0
Target Version:

4.19.0
Release Blocker:
Proposed
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Previously, {olmv1} did not wait for certificates to reach a ready state before mounting Operator Controller and catalogd pods. These updates fix the issue. link:https://issues.redhat.com/browse/OCPBUGS-48830[~~OCPBUGS-48830~~] and link:https://issues.redhat.com/browse/OCPBUGS-49418[~~OCPBUGS-49418~~]

Show
* Previously, {olmv1} did not wait for certificates to reach a ready state before mounting Operator Controller and catalogd pods. These updates fix the issue. link: https://issues.redhat.com/browse/OCPBUGS-48830 [ OCPBUGS-48830 ] and link: https://issues.redhat.com/browse/OCPBUGS-49418 [ OCPBUGS-49418 ]

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

When the catalogd and operator-controller pods start, it sometimes happens that the "trusted-ca-bundle" ConfigMap has not yet had its "ca-bundle.crt" data item populated yet. When this happens, a directory is mounted at /var/trusted-cas/ca-bundle.crt instead of the expected CA file.

The only way to resolve the problem is to manually delete the pod and let it be re-created AFTER the ca-bundle.crt data item is populated in the ConfigMap, at which point the file will mount correctly.

Version-Release number of selected component (if applicable):

How reproducible:

Not trivially reproducible because it is a race condition between the controller populating the ConfigMap and the OLMv1 controllers

Steps to Reproduce:

    1. 
    2.
    3.

Actual results:

When a Proxy CA is configured, catalogd and operator controller may be unable to pull images because they may fail to parse /var/trusted-cas/ca-bundle.crt (which is sometimes a directory)

Expected results:

Operator controller and catalogd pods always wait to start until the "trusted-ca-bundle" is populated with "ca-bundle.crt", thus ensuring the correct mount type for the CA certs.

Additional info:

blocks

OCPBUGS-49299 OLMv1: Proxy CA mount does not wait until ca-bundle.crt is ready

Closed

is cloned by

OCPBUGS-49299 OLMv1: Proxy CA mount does not wait until ca-bundle.crt is ready

Closed

OCPBUGS-49418 OLMv1: Proxy CA mount does not wait until service-ca.crt is ready

Closed

relates to

OCPBUGS-48767 OLM CA management: limitations of subPath volume mounting

Closed

links to

openshift/operator-framework-catalogd#120: OCPBUGS-48830: UPSTREAM: <carry>: resolve issue with pre-mature mounting of trusted CA configmap

openshift/operator-framework-operator-controller#237: OCPBUGS-48830: resolve issue with pre-mature mounting of trusted CA configmap

RHEA-2024:11038 OpenShift Container Platform 4.19.z bug fix update

(2 links to)

Assignee:: Joe Lanford

Reporter:: Joe Lanford

Need Info From:: None

Contributors:: None

QA Contact:: Xia Zhao

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/01/24 3:06 AM

Updated:: 2025/07/16 1:40 PM

Resolved:: 2025/06/17 4:53 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide