-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.18
-
None
-
Moderate
-
None
-
False
-
Description of problem:
During CI updates from 4.17 to 4.18, the auth ClusterOperator bumps its versions[name=operator] version before bumping the other versions like oauth-openshift. That sounds plausible based on the operator name, but longstanding API docs say:
An operator reports a new "operator" version when it has rolled out the new version to all of its operands.
If I'd been involved back around here, I might have argued for component or something else that had less ambiguity between "just the top-level operator, or does it also include all of the operands and everything else in this component?".
This bug is asking the Auth operator to conform to the API docs, and avoid bumping the operator version entry until the entire component has reached that version.
Version-Release number of selected component
Seen in a spot-check of 4.17-to-4.18 CI, but likely longstanding behavior.
How reproducible
I checked one CI run, but I'd guess fairly reproducible, because it's likely to be a stable code path, and doesn't seem like there would be dynamic races in this behavior.
Steps to Reproduce
1. Install a cluster
2. Update to a new version
3. Watch the authentication ClusterOperator, something like:
$ oc get -w -o jsonpath='{.status.versions}{"\n"}' clusteroperator authentication
Alternatively, check Events post-update:
$ curl -s https://.../events.json | jq -r '.items[] | select(.metadata.namespace == "openshift-authentication-operator" and .reason == "OperatorStatusChanged") | .firstTimestamp + " " + (.count | tostring) + " " + .message' | grep versions
Actual results
operator bumped first. For example, : https://amd64.ocp.releases.ci.openshift.org/ > 4.18.0-rc.10 > update from 4.17.17 > Artifacts > ... > template-job artifacts:
$ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/release-openshift-origin-installer-e2e-aws-upgrade/1891342561033850880/artifacts/e2e-aws-upgrade/events.json | jq -r '.items[] | select(.metadata.namespace == "openshift-authentication-operator" and .reason == "OperatorStatusChanged") | .firstTimestamp + " " + (.count | tostring) + " " + .message' | grep versions
...
2025-02-17T05:38:09Z 1 Status for clusteroperator/authentication changed: status.versions changed from [{"operator" "4.17.17"} {"oauth-apiserver" "4.17.17"} {"oauth-openshift" "4.17.17_openshift"}] to [{"operator" "4.18.0-rc.10"} {"oauth-apiserver" "4.17.17"} {"oauth-openshift" "4.17.17_openshift"}]
2025-02-17T05:40:08Z 1 Status for clusteroperator/authentication changed: status.versions changed from [{"operator" "4.18.0-rc.10"} {"oauth-apiserver" "4.17.17"} {"oauth-openshift" "4.17.17_openshift"}] to [{"operator" "4.18.0-rc.10"} {"oauth-apiserver" "4.17.17"} {"oauth-openshift" "4.18.0-rc.10_openshift"}]
2025-02-17T05:41:43Z 1 Status for clusteroperator/authentication changed: status.versions changed from [{"operator" "4.18.0-rc.10"} {"oauth-apiserver" "4.17.17"} {"oauth-openshift" "4.18.0-rc.10_openshift"}] to [{"operator" "4.18.0-rc.10"} {"oauth-apiserver" "4.18.0-rc.10"} {"oauth-openshift" "4.18.0-rc.10_openshift"}]
shows operator moving to 4.18 before either of the other two versions entries moves.
Expected results
operator moves last, and only once the rest of the cluster can rely on all the things the new version's Auth component brings having rolled out.
- blocks
-
OTA-1435 Collect Degraded=True non-blocking enhancement ack from the Authentication maintainers
-
- In Progress
-