Skip to content

Cleanup conversion webhooks when an operator is uninstalled #2832

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 8, 2022
Merged

Cleanup conversion webhooks when an operator is uninstalled #2832

merged 1 commit into from
Aug 8, 2022

Conversation

awgreene
Copy link
Member

@awgreene awgreene commented Aug 5, 2022
edited
Loading

Addresses #2830

Problem: When uninstalling a CSV, OLM has always avoided deleting the
associated CRD as all CRs on cluster are subsequently deleted, possibly
resulting in user dataloss.

OLM supports defining conversion webhooks within the CSV. On cluster,
conversion webhooks are defined within a CRD and point to a service that
handles conversion. If the service is unable to fulfill the request,
all requests against the CRs associated with the CRD will fail.

When uninstalling a CSV, OLM does not remove the conversion webhook from
the CRD, meaning that all requests against the CRs associated with the
CRD will fail, resulting in at least two concerns:

  1. OLM is unable to subsequently reinstall the operator. When installing
    a CSV, if the CRD already exists and instances of CRs exist as well,
    OLM performs a series of checks which ensure that none of the CRs are
    invalidated against the new schema. The existing CRD's conversion
    webhooks points to a non-existant service, causing the check to fail
    and preventing installs.
  2. Broken conversion webhooks causes kubernete's garbage collection to
    fail.

Solution: When a CSV is deleted, if no CSV exists that is replacing it,
set the CRD's conversion strategy to None.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 5, 2022
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 5, 2022
@awgreene
Copy link
Member Author

awgreene commented Aug 5, 2022

Feel free to take a look @amisevsk.

@awgreene awgreene force-pushed the fix-cert-service-bz branch from 7f73edf to f50aed1 Compare August 6, 2022 00:35
@awgreene awgreene changed the title wip: disable conversion webhooks after uninstall Cleanup conversion webhooks when an operator is uninstalled Aug 6, 2022
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 6, 2022
@awgreene
Copy link
Member Author

awgreene commented Aug 6, 2022

Needs an e2e test
/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 6, 2022
@awgreene awgreene force-pushed the fix-cert-service-bz branch 3 times, most recently from ab76e50 to daa6b8b Compare August 6, 2022 13:53
@awgreene
Copy link
Member Author

awgreene commented Aug 6, 2022

I've added the e2e test.
/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 6, 2022
dinhxuanvu
dinhxuanvu approved these changes Aug 8, 2022
View reviewed changes
Copy link
Member

@dinhxuanvu dinhxuanvu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@openshift-ci
Copy link

openshift-ci bot commented Aug 8, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: awgreene, dinhxuanvu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [awgreene,dinhxuanvu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@awgreene
Cleanup conversion webhooks when an operator is uninstalled
1e08b53 
Problem: When uninstalling a CSV, OLM has always avoided deleting the
associated CRD as all CRs on cluster are subsequently deleted, possibly
resulting in user dataloss.

OLM supports defining conversion webhooks within the CSV. On cluster,
conversion webhooks are defined with a CRD and point to a service that
handles conversion.  If the service is unable to fulfill the request,
all requests against the CRs associated with the CRD will fail.

When uninstalling a CSV, OLM does not remove the conversion webhook from
the CRD, meaning that all requests against the CRs associated with the
CRD will fail, resulting in at least two concerns:
1. OLM is unable to subsequently reinstall the operator. When installing
   a CSV, if the CRD already exists and instances of CRs exist as well,
   OLM performs a series of checks which ensure that none of the CRs are
   invalidated against the new schema. The existing CRD's conversion
   webhooks points to a non-existant service, causing the check to fail
   and preventing installs.
2. Broken conversion webhooks causes kubernete's garbage collection to
   fail.

Solution: When a CSV is deleted, if no CSV exists that is replacing it,
set the CRD's conversion strategy to None.

Signed-off-by: Alexander Greene <[email protected]>
@awgreene awgreene force-pushed the fix-cert-service-bz branch from daa6b8b to 1e08b53 Compare August 8, 2022 16:38
@timflannagan
Copy link
Member

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 8, 2022
@openshift-merge-robot openshift-merge-robot merged commit 9437498 into operator-framework:master Aug 8, 2022
@openshift-cherrypick-robot
Copy link

@awgreene: cannot checkout release-4.11: error checking out release-4.11: exit status 1. output: error: pathspec 'release-4.11' did not match any file(s) known to git

In response to this:

/cherry-pick release-4.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dinhxuanvu dinhxuanvu dinhxuanvu approved these changes

@gallettilance gallettilance Awaiting requested review from gallettilance

@kevinrizza kevinrizza Awaiting requested review from kevinrizza

Assignees

@timflannagan timflannagan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@awgreene @timflannagan @openshift-cherrypick-robot @dinhxuanvu @openshift-merge-robot