[release-4.11] OCPBUGS-4446: fix service account token secret reference (#2862) #416

openshift-cherrypick-robot · 2022-11-27T15:21:24Z

This is an automated cherry-pick of #412

/assign awgreene

awgreene · 2022-12-02T17:46:19Z

/retest

Problem: The filterSecretsBySAName function attempts to identify all service account token secrets related to a serviceAccount. To do so, the filterSecretsBySAName function uses a range-for loop to iterate over entries in the secrets argument. If a valid service account token secret is found, a pointer to the range-for loop's value variable is added to a map of results. Unfortunately, if a valid entry is found in the middle of the list of secrets, the value returned by the range-for loop is updated, causes the entry in the map to change. Solution: Add a pointer to the actual secret instead of the range-for loop's value variable. Signed-off-by: Alexander Greene <[email protected]> Upstream-repository: operator-lifecycle-manager Upstream-commit: caab6c52ec532dc82c7178eebb0377bd80d1e82a

awgreene · 2022-12-02T17:53:47Z

For some reason this was recreated using the JIRA issue targeting 4.12, gotta change the title to point to the correct issue.

/retitle [release-4.11] OCPBUGS-4446: fix service account token secret reference (#2862)

openshift-ci · 2022-12-02T17:53:51Z

@openshift-cherrypick-robot: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

[release-4.11] OCPBUGS-4446: fix service account token secret reference (#2862)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci-robot · 2022-12-02T17:53:54Z

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-4446, which is valid. The bug has been moved to the POST state.

6 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.11.z) matches configured target version for branch (4.11.z)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
dependent bug Jira Issue OCPBUGS-3837 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE))
dependent Jira Issue OCPBUGS-3837 targets the "4.12.0" version, which is one of the valid target versions: 4.12.0
bug has dependents

Requesting review from QA contact:
/cc @Xia-Zhao-rh

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This is an automated cherry-pick of #412

/assign awgreene

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

awgreene · 2022-12-02T19:11:40Z

/retest

Xia-Zhao-rh · 2022-12-03T03:10:08Z

verify result

zhaoxia@xzha-mac bug-1428 % oc -n openshift-operator-lifecycle-manager exec catalog-operator-df6f676f4-6dwk8 -- olm --version
OLM version: 0.19.0
git commit: 649402133ce5743d595c6a314f6f224a9ed55424
zhaoxia@xzha-mac bug-1428 % oc new-project testx-ns
Now using project "testx-ns" on server "https://api.ci-ln-l12zmb2-76ef8.origin-ci-int-aws.dev.rhcloud.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app rails-postgresql-example

to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=k8s.gcr.io/e2e-test-images/agnhost:2.33 -- /agnhost serve-hostname

zhaoxia@xzha-mac bug-1428 % cat sub.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: zsecret
  namespace: testx-ns
type: Opaque
stringData:
  mykey: mypass

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: testx-sa
  namespace: testx-ns

---

kind: OperatorGroup
apiVersion: operators.coreos.com/v1
metadata:
  name: testx-og
  namespace: testx-ns
spec:
  serviceAccountName: "testx-sa"
  targetNamespaces:
  - testx-ns

---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: testx-role
  namespace: testx-ns
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"] 
  
---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: testx-rolebinding
  namespace: testx-ns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: testx-role
subjects:
- kind: ServiceAccount
  name: testx-sa
  namespace: testx-ns

---

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: etcd-operator
  namespace: testx-ns
spec:
  channel: singlenamespace-alpha
  installPlanApproval: Automatic
  name: etcd
  source: community-operators
  sourceNamespace: openshift-marketplace
zhaoxia@xzha-mac bug-1428 % oc apply -f sub.yaml 
secret/zsecret created
serviceaccount/testx-sa created
operatorgroup.operators.coreos.com/testx-og created
role.rbac.authorization.k8s.io/testx-role created
rolebinding.rbac.authorization.k8s.io/testx-rolebinding created
subscription.operators.coreos.com/etcd-operator created
zhaoxia@xzha-mac bug-1428 % oc get sub
NAME            PACKAGE   SOURCE                CHANNEL
etcd-operator   etcd      community-operators   singlenamespace-alpha

zhaoxia@xzha-mac bug-1428 % oc get sa
NAME            SECRETS   AGE
builder         1         48s
default         1         48s
deployer        1         48s
etcd-operator   1         1s
testx-sa        1         24s
zhaoxia@xzha-mac bug-1428 % oc get secret
NAME                            TYPE                                  DATA   AGE
builder-dockercfg-9vn4j         kubernetes.io/dockercfg               1      58s
builder-token-twck7             kubernetes.io/service-account-token   4      58s
default-dockercfg-lnc9l         kubernetes.io/dockercfg               1      58s
default-token-8m64q             kubernetes.io/service-account-token   4      58s
deployer-dockercfg-nzwt9        kubernetes.io/dockercfg               1      58s
deployer-token-hjbgj            kubernetes.io/service-account-token   4      58s
etcd-operator-dockercfg-cbzc8   kubernetes.io/dockercfg               1      11s
etcd-operator-token-6jw8f       kubernetes.io/service-account-token   4      11s
testx-sa-dockercfg-ljvh9        kubernetes.io/dockercfg               1      34s
testx-sa-token-wzjfs            kubernetes.io/service-account-token   4      34s
zsecret                         Opaque                                1      35s
zhaoxia@xzha-mac bug-1428 % oc get ip
NAME            CSV                   APPROVAL    APPROVED
install-g2rfj   etcdoperator.v0.9.4   Automatic   true
zhaoxia@xzha-mac bug-1428 % oc get csv
NAME                  DISPLAY   VERSION   REPLACES              PHASE
etcdoperator.v0.9.4   etcd      0.9.4     etcdoperator.v0.9.2   Succeeded
zhaoxia@xzha-mac bug-1428 % oc get sub etcd-operator -o=jsonpath-as-json='{.status}'
[
    {
        "catalogHealth": [
            {
                "catalogSourceRef": {
                    "apiVersion": "operators.coreos.com/v1alpha1",
                    "kind": "CatalogSource",
                    "name": "certified-operators",
                    "namespace": "openshift-marketplace",
                    "resourceVersion": "27944",
                    "uid": "682a6fbc-b823-4147-9458-a7413d22defb"
                },
                "healthy": true,
                "lastUpdated": "2022-12-03T02:54:18Z"
            },
            {
                "catalogSourceRef": {
                    "apiVersion": "operators.coreos.com/v1alpha1",
                    "kind": "CatalogSource",
                    "name": "community-operators",
                    "namespace": "openshift-marketplace",
                    "resourceVersion": "27984",
                    "uid": "851235fd-2b5a-4c45-9323-eff6ef2ce8ad"
                },
                "healthy": true,
                "lastUpdated": "2022-12-03T02:54:18Z"
            },
            {
                "catalogSourceRef": {
                    "apiVersion": "operators.coreos.com/v1alpha1",
                    "kind": "CatalogSource",
                    "name": "redhat-marketplace",
                    "namespace": "openshift-marketplace",
                    "resourceVersion": "27814",
                    "uid": "012bb8d1-a20a-4de6-bb0e-626e10bfdd6c"
                },
                "healthy": true,
                "lastUpdated": "2022-12-03T02:54:18Z"
            },
            {
                "catalogSourceRef": {
                    "apiVersion": "operators.coreos.com/v1alpha1",
                    "kind": "CatalogSource",
                    "name": "redhat-operators",
                    "namespace": "openshift-marketplace",
                    "resourceVersion": "28281",
                    "uid": "306dcd73-e544-4cd5-807a-60bc8df01d8a"
                },
                "healthy": true,
                "lastUpdated": "2022-12-03T02:54:18Z"
            }
        ],
        "conditions": [
            {
                "lastTransitionTime": "2022-12-03T02:54:18Z",
                "message": "all available catalogsources are healthy",
                "reason": "AllCatalogSourcesHealthy",
                "status": "False",
                "type": "CatalogSourcesUnhealthy"
            }
        ],
        "currentCSV": "etcdoperator.v0.9.4",
        "installPlanGeneration": 1,
        "installPlanRef": {
            "apiVersion": "operators.coreos.com/v1alpha1",
            "kind": "InstallPlan",
            "name": "install-g2rfj",
            "namespace": "testx-ns",
            "resourceVersion": "29022",
            "uid": "7d713e98-2602-4f77-a320-1d7a50b57e7a"
        },
        "installedCSV": "etcdoperator.v0.9.4",
        "installplan": {
            "apiVersion": "operators.coreos.com/v1alpha1",
            "kind": "InstallPlan",
            "name": "install-g2rfj",
            "uuid": "7d713e98-2602-4f77-a320-1d7a50b57e7a"
        },
        "lastUpdated": "2022-12-03T02:54:37Z",
        "state": "AtLatestKnown"
    }
]

LGTM. verified

Xia-Zhao-rh · 2022-12-03T03:10:33Z

/qe-approved

Xia-Zhao-rh · 2022-12-03T03:10:47Z

/retest

Xia-Zhao-rh · 2022-12-03T03:14:53Z

/label qe-approved

Xia-Zhao-rh · 2022-12-03T07:20:45Z

/retest

Xia-Zhao-rh · 2022-12-05T02:00:08Z

/retest

Xia-Zhao-rh · 2022-12-17T04:45:00Z

/retest

Xia-Zhao-rh · 2023-01-04T08:18:24Z

/retest

awgreene · 2023-01-10T03:41:50Z

/retest

awgreene · 2023-01-10T03:42:14Z

/approved
/label backport-risk-assessed

openshift-ci · 2023-01-10T04:53:36Z

@openshift-cherrypick-robot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-olm-flaky	`1a840df`	link	false	`/test e2e-gcp-olm-flaky`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

awgreene · 2023-01-10T17:39:40Z

/approve

openshift-ci · 2023-01-10T17:40:29Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: awgreene, openshift-cherrypick-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [awgreene]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

awgreene · 2023-01-10T17:42:06Z

@jianzhangbjz I think this one is ready for a cherry-pick label :)

oceanc80 · 2023-01-10T21:53:36Z

/lgtm

Xia-Zhao-rh · 2023-01-11T07:09:28Z

/label cherry-pick-approved

openshift-ci-robot · 2023-01-11T07:14:55Z

@openshift-cherrypick-robot: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-4446 has been moved to the MODIFIED state.

In response to this:

This is an automated cherry-pick of #412

/assign awgreene

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-cherrypick-robot mentioned this pull request Nov 27, 2022

[release-4.12] OCPBUGS-3837: fix service account token secret reference (#2862) #412

Merged

openshift-cherrypick-robot assigned awgreene Nov 27, 2022

openshift-ci bot requested review from awgreene and kevinrizza November 27, 2022 15:21

openshift-cherrypick-robot force-pushed the cherry-pick-412-to-release-4.11 branch from 47efa4a to 1a840df Compare December 2, 2022 17:52

openshift-ci bot changed the title ~~[release-4.11] OCPBUGS-3837: fix service account token secret reference (#2862)~~ [release-4.11] OCPBUGS-4446: fix service account token secret reference (#2862) Dec 2, 2022

openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Dec 2, 2022

openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Dec 2, 2022

openshift-ci bot requested a review from Xia-Zhao-rh December 2, 2022 17:53

openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Dec 3, 2022

openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Jan 10, 2023

openshift-ci bot assigned bandrade, jianzhangbjz and kuiwang02 Jan 10, 2023

openshift-ci bot assigned Xia-Zhao-rh Jan 10, 2023

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 10, 2023

openshift-ci bot assigned oceanc80 Jan 10, 2023

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 10, 2023

openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Jan 11, 2023

openshift-merge-robot merged commit cb6810a into openshift:release-4.11 Jan 11, 2023

[release-4.11] OCPBUGS-4446: fix service account token secret reference (#2862) #416

[release-4.11] OCPBUGS-4446: fix service account token secret reference (#2862) #416

Uh oh!

Conversation

openshift-cherrypick-robot commented Nov 27, 2022

Uh oh!

awgreene commented Dec 2, 2022

Uh oh!

awgreene commented Dec 2, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci bot commented Dec 2, 2022

Uh oh!

openshift-ci-robot commented Dec 2, 2022

Uh oh!

awgreene commented Dec 2, 2022

Uh oh!

Xia-Zhao-rh commented Dec 3, 2022

Uh oh!

Xia-Zhao-rh commented Dec 3, 2022

Uh oh!

Xia-Zhao-rh commented Dec 3, 2022

Uh oh!

Xia-Zhao-rh commented Dec 3, 2022

Uh oh!

Xia-Zhao-rh commented Dec 3, 2022

Uh oh!

Xia-Zhao-rh commented Dec 5, 2022

Uh oh!

Xia-Zhao-rh commented Dec 17, 2022

Uh oh!

Xia-Zhao-rh commented Jan 4, 2023

Uh oh!

awgreene commented Jan 10, 2023

Uh oh!

awgreene commented Jan 10, 2023

Uh oh!

openshift-ci bot commented Jan 10, 2023

Uh oh!

awgreene commented Jan 10, 2023

Uh oh!

openshift-ci bot commented Jan 10, 2023

Uh oh!

awgreene commented Jan 10, 2023

Uh oh!

oceanc80 commented Jan 10, 2023

Uh oh!

Xia-Zhao-rh commented Jan 11, 2023

Uh oh!

openshift-ci-robot commented Jan 11, 2023

Uh oh!

Uh oh!

awgreene commented Dec 2, 2022 •

edited

Loading