Closed Tomasz-Smelcerz-SAP closed 7 months ago
This issue can be reproduced via Busola. In a new cluster, Istio is enabled by default and when editing the KymaCR via Edit->YAML
functionality, it is possible to add the same istio
entry twice resulting in the following KymaCR:
The same cannot be achieved when editing KymaCR via kubectl apply
, kubectl edit
, or kyma alpha enable module
(see also tests on local k3d cluster below).
The PR that updated the enforcement of unique values is here https://github.com/kyma-project/lifecycle-manager/pull/611. This seems to work as expected for kubectl
and kyma cli
, but Busola's Edit-YAML
functionality somehow seems to bypass it.
A Kyma installation where this issue is reproduced is in cs-test-1242
Subaccount under our Stage Global Account.
Given the following KymaCR:
apiVersion: operator.kyma-project.io/v1beta2
kind: Kyma
metadata:
annotations:
operator.kyma-project.io/owned-by: kcp-system/kyma-sample
labels:
operator.kyma-project.io/watched-by: lifecycle-manager
name: default
namespace: kyma-system
spec:
channel: regular
modules:
- channel: regular
customResourcePolicy: CreateAndDelete
name: template-operator
kyma alpha enable module template-operator
will yield a successful modules patched
message, the KymaCR remains unchanged howeverkubectl edit ...
fails with:
# kymas.operator.kyma-project.io "default" was not valid:
# * spec.modules[1]: Duplicate value: map[string]interface {}{"name":"template-operator"}
kubectl apply ...
fails with The Kyma "default" is invalid: spec.modules[1]: Duplicate value: map[string]interface {}{"name":"template-operator"}
--validate='ignore'
and --server-side
flags which result in the same behavior2024-01-11T13:02:10.445535918Z
. The logs from 30 mins before this error didn't show any significant hintsname: ' template-operator'
or name: Template-operator
worksno such module found
errorname: template-operator
and name: kyma-project.io/module/template-operator
template-operator
caseStatus.Modules
lists the module twiceFrom network traffic, it is observable that Busola is sending the following request:
PATCH https://<host>/v1beta1/namespaces/kyma-system/kymas/default
Content-Type: application/json-patch+json
[
{
"op": "add",
"path": "/spec/modules/1",
"value": {
"customResourcePolicy": "CreateAndDelete",
"name": "istio"
}
}
]
Tried to re-produce the same with kubectl -n kyma-system patch kyma/default --type=json --patch-file ./patch-kyma.json
. However, validation does kick in resulting in: The Kyma "default" is invalid: spec.modules[1]: Duplicate value: map[string]interface {}{"name":"template-operator"}
Edit: observed the behavior that if the modules list already contains a duplicate entry, it is possible that patch a third duplicate entry in via kubectl patch
. This may be related to https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-ratcheting
Noticed that the request from network traffic uses v1beta1
. Validations have been introduced to CRD with version v1beta2
. Firing requests against that version will fail validation, e.g.:
PATCH http://localhost:8001/apis/operator.kyma-project.io/v1beta2/namespaces/kyma-system/kymas/default
Content-Type: application/json-patch+json
Accept: application/json
[
{
"op": "add",
"path": "/spec/modules/1",
"value": {
"customResourcePolicy": "CreateAndDelete",
"name": "template-operator"
}
}
]
Will lead to:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Kyma.operator.kyma-project.io \"default\" is invalid: spec.modules[1]: Duplicate value: map[string]interface {}{\"name\":\"template-operator\"}",
"reason": "Invalid",
"details": {
"name": "default",
"group": "operator.kyma-project.io",
"kind": "Kyma",
"causes": [
{
"reason": "FieldValueDuplicate",
"message": "Duplicate value: map[string]interface {}{\"name\":\"template-operator\"}",
"field": "spec.modules[1]"
}
]
},
"code": 422
}
However, the behavior is the same as described in the EDIT above. If the resource is already invalid, the patch will go through.
The following topics are left to be clarified/discussed:
1) do we need to ask stakeholders to migrate to ✅
1) v1beta2
?do we need to "back-port" the validation to :x:
1) v1beta1
?do we need to consider the "edit on already invalid resource" case? :x: not for now, we keep it in the back of our heads
1) do we need to handle the "alternative ways of naming the module " case? ✅ => https://github.com/kyma-project/lifecycle-manager/issues/1276
@c-pius I wouldn't back-port any changes to v1beta1
as we anyway want to migrate away from that version.
Busola config will be updated in the https://github.com/kyma-project/kyma-dashboard/pull/272, big kudos to @c-pius for the investigation!
I have already reminded the teams to migrate, v1beta2
was introduced almost 9 months ago. We communicated a new version back then, I suppose this is a feasible time to migrate dependencies.
Description
It has been observed that the user was able to configure duplicated entry in the
.spec.modules
list in an SKR cluster. The LM couldn't handle this condition nicely - the proper error was only visible in the LM logs, not in the Kyma status or an Event on the Kyma object. The Kyma CRD schema should prevent this from happenning, but apparently something went wrong.Steps to reproduce
To be found, start with trying to add the same module twice.
Environment Type
Managed
Environment Info
Shoot name:
https://api.c-5a489c4.stage.kyma.ondemand.com
Kubernetes Version:Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.6", GitCommit:"741c8db18a52787d734cbe4795f0b4ad860906d6", GitTreeState:"clean", BuildDate:"2023-09-13T09:14:09Z", GoVersion:"go1.20.8", Compiler:"gc", Platform:"linux/amd64"}
Attachments
kyma-with-duplicated-module.txt kyma-with-duplicated-module.error.log.txt