-
Bug
-
Resolution: Done
-
Undefined
-
None
-
4.12
-
None
-
False
-
-
-
Rel Note for Telco: Yes
This is a clone of issue OCPBUGS-2812. The following is the description of the original issue:
โ
In the reference configuration the CatalogSource is in the common-config policy and subscriptions are in common-subscriptions. If the user updates the catalogsource to point to a new index (as recommended) and places both common-config and common-subscriptions into the CGU for enforcement, only the common-config policy is enforced.
TALM sees that the common-subscription Policy starts off as Compliant (it won't go non-compliant until the index is changed) and skips enforcement of the Policy.
The workaround is to add a trivial change to one CR in the common-subscription policy. This will set the policy to non-compliant prior to the CGU being enabled and keep TALM from skipping it. For example (the value can be changed on each upgrade as needed):
- fileName: SriovSubscription.yaml policyName: "subscriptions-policy" metadata: annotations: temp-for-upgrade: "1"
- clones
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- links to
- mentioned on
[OCPBUGS-6990] TALM does not enforce subscriptions when catalogsource is updated and both policies are in the same CGU
Verified - common-config-policy and common-subscriptions-policy updated from the same CGU.
Policies on hub (OCP 4.13/TALM 4.13):
[kni@registry.kni-qe-54 ~]$ oc get policy -A NAMESPACE NAME REMEDIATION ACTION COMPLIANCE STATE AGE helix58 ztp-common.common-config-policy inform Compliant 13h helix58 ztp-common.common-subscriptions-policy inform Compliant 13h helix58 ztp-group.group-du-sno-config-policy inform Compliant 13h helix58 ztp-group.group-du-sno-post-config-policy inform Compliant 13h helix58 ztp-site.helix58-config-policy inform Compliant 13h ztp-common common-config-policy inform Compliant 13h ztp-common common-subscriptions-policy inform Compliant 13h ztp-group group-du-sno-config-policy inform Compliant 13h ztp-group group-du-sno-post-config-policy inform Compliant 13h ztp-group group-du-sno-validator-du-policy inform 13h ztp-site helix58-config-policy inform Compliant 13h
Operators on spoke (OCP 4.12):
[kni@registry.kni-qe-54 ~]$ oc get csv -A NAMESPACE NAME DISPLAY VERSION REPLACES PHASE amq-router amq7-interconnect-operator.v1.10.14 Red Hat Integration - AMQ Interconnect 1.10.14 amq7-interconnect-operator.v1.10.4 Succeeded openshift-bare-metal-events bare-metal-event-relay.v4.12.4 Bare Metal Event Relay 4.12.4 Succeeded openshift-local-storage local-storage-operator.v4.12.0-202305101515 Local Storage 4.12.0-202305101515 Succeeded openshift-logging cluster-logging.v5.6.1 Red Hat OpenShift Logging 5.6.1 Succeeded openshift-operator-lifecycle-manager packageserver Package Server 0.19.0 Succeeded openshift-ptp ptp-operator.4.12.0-202305161442 PTP Operator 4.12.0-202305161442 Succeeded openshift-sriov-network-operator sriov-network-operator.v4.12.0-202305101515 SR-IOV Network Operator 4.12.0-202305101515 Succeeded vran-acceleration-operators sriov-fec.v2.6.1 SR-IOV Operator for Wireless FEC Accelerators 2.6.1 sriov-fec.v2.6.0 Succeeded
Updated PGT:
- fileName: DefaultCatsrc.yaml
policyName: "config-policy"
metadata:
name: redhat-operators-custom
spec:
displayName: Red Hat Operators Catalog
image: registry.kni-qe-54.telco5gran.eng.rdu2.redhat.com:5000/olm/redhat-operators:v4.13
status:
connectionState:
lastObservedState: READY
On hub cluster:
kni@registry.kni-qe-54 ~]$ oc get policy -A NAMESPACE NAME REMEDIATION ACTION COMPLIANCE STATE AGE helix58 ztp-common.common-config-policy inform NonCompliant 13h helix58 ztp-common.common-subscriptions-policy inform Compliant 13h helix58 ztp-group.group-du-sno-config-policy inform Compliant 13h helix58 ztp-group.group-du-sno-post-config-policy inform Compliant 13h helix58 ztp-site.helix58-config-policy inform Compliant 13h ztp-common common-config-policy inform NonCompliant 13h ztp-common common-subscriptions-policy inform Compliant 13h ztp-group group-du-sno-config-policy inform Compliant 13h ztp-group group-du-sno-post-config-policy inform Compliant 13h ztp-group group-du-sno-validator-du-policy inform 13h ztp-site helix58-config-policy inform Compliant 13h [kni@registry.kni-qe-54 ~]$
Applied cgu:
apiVersion: ran.openshift.io/v1alpha1 kind: ClusterGroupUpgrade metadata: name: cgu-test namespace: default spec: managedPolicies: - common-config-policy - common-subscriptions-policy enable: true clusters: - helix58 remediationStrategy: maxConcurrency: 1
After cgu completed:
[kni@registry.kni-qe-54 ~]$ oc get cgu -A NAMESPACE NAME AGE STATE DETAILS default cgu-test 17m Completed All clusters are compliant with all the managed policies default http-transport 8d Completed All clusters are compliant with all the managed policies ztp-install helix58 12h Completed All clusters are compliant with all the managed policies [kni@registry.kni-qe-54 ~]$ kni@registry.kni-qe-54 ~]$ oc get policy -A NAMESPACE NAME REMEDIATION ACTION COMPLIANCE STATE AGE helix58 ztp-common.common-config-policy inform Compliant 13h helix58 ztp-common.common-subscriptions-policy inform Compliant 13h helix58 ztp-group.group-du-sno-config-policy inform Compliant 13h helix58 ztp-group.group-du-sno-post-config-policy inform Compliant 13h helix58 ztp-site.helix58-config-policy inform Compliant 13h ztp-common common-config-policy inform Compliant 13h ztp-common common-subscriptions-policy inform Compliant 13h ztp-group group-du-sno-config-policy inform Compliant 13h ztp-group group-du-sno-post-config-policy inform Compliant 13h ztp-group group-du-sno-validator-du-policy inform 13h ztp-site helix58-config-policy inform Compliant 13h [kni@registry.kni-qe-54 ~]$
On spoke:
[kni@registry.kni-qe-54 ~]$ oc get csv -A
NAMESPACE NAME DISPLAY VERSION REPLACES PHASE
amq-router amq7-interconnect-operator.v1.10.14 Red Hat Integration - AMQ Interconnect 1.10.14 amq7-interconnect-operator.v1.10.4 Succeeded
openshift-bare-metal-events bare-metal-event-relay.v4.13.1 Bare Metal Event Relay 4.13.1 bare-metal-event-relay.v4.12.4 Succeeded
openshift-local-storage local-storage-operator.v4.13.0-202304190216 Local Storage 4.13.0-202304190216 local-storage-operator.v4.12.0-202305101515 Succeeded
openshift-logging cluster-logging.v5.6.1 Red Hat OpenShift Logging 5.6.1 Succeeded
openshift-operator-lifecycle-manager packageserver Package Server 0.19.0 Succeeded
openshift-ptp ptp-operator.v4.13.0-202305161342 PTP Operator 4.13.0-202305161342 ptp-operator.4.12.0-202305161442 Succeeded
openshift-sriov-network-operator sriov-network-operator.v4.13.0-202305171454 SR-IOV Network Operator 4.13.0-202305171454 sriov-network-operator.v4.12.0-202305101515 Succeeded
vran-acceleration-operators sriov-fec.v2.6.1 SR-IOV Operator for Wireless FEC Accelerators 2.6.1 sriov-fec.v2.6.0 Succeeded
[kni@registry.kni-qe-54 ~]${code}
GitLab CEE Bot
added a comment - CPaaS Service Account mentioned this issue in merge request !142 of cpaas-midstream / telco-5g-ran / topology-aware-lifecycle-manager on branch rhaos-4.12-rhel-8_upstream_7136367e0d76fc61bedc1eb1c624f9c2:
Updated US source to: 088ea91 Do not skip compliant policies containing status fields (#423)
GitLab CEE Bot
added a comment - CPaaS Service Account mentioned this issue in merge request !142 of cpaas-midstream / telco-5g-ran / topology-aware-lifecycle-manager on branch rhaos-4.12-rhel-8_ upstream _7136367e0d76fc61bedc1eb1c624f9c2 : Updated US source to: 088ea91 Do not skip compliant policies containing status fields (#423) 
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (OpenShift Container Platform 4.12.20 CNF vRAN extras update), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2023:3477