CMP-4478: Fix ProfileBundle reversion on operator restart using Subscription patch#79
Open
yuumasato wants to merge 1 commit into
Open
Conversation
ProfileBundles with custom content images were reverted to default images when the compliance-operator restarted (e.g., node reboots). This happened because the operator's ensureDefaultProfileBundles() runs at startup and unconditionally patches existing ProfileBundles with the image from the RELATED_IMAGE_PROFILE env var, which defaults to the CSV's default image. Solution: Patch Subscription.spec.config.env with RELATED_IMAGE_PROFILE instead of manually creating ProfileBundles. This ensures the operator uses the custom content image from startup. Changes: - Add patchOperatorContentImage() to patch Subscription with custom env var - Add waitForOperatorRollout() to wait for Deployment rollout after patch - Remove ensureTestProfileBundles() (no longer needed) - Update Setup() flow: install → patch Subscription → wait for rollout → wait for valid ProfileBundles How it works: 1. patchOperatorContentImage() patches Subscription with RELATED_IMAGE_PROFILE 2. OLM automatically merges Subscription env vars into Deployment 3. Deployment rollout triggers with new env var 4. Operator reads RELATED_IMAGE_PROFILE and creates ProfileBundles with custom image 5. Changes survive operator restarts (node reboots, pod crashes) Why Subscription patch: - Subscription.spec.config.env is the designed OLM mechanism for env overrides - Subscription config persists across OLM reconciliation and operator upgrades - Subscription env vars take precedence over CSV defaults (documented) - Solves both initial setup AND restart/reboot cases Tested: - Initial setup with custom image - Operator restart resilience (simulates node reboot) - Multiple consecutive restarts - Old approach (ProfileBundle patch) reverted on restart, new approach persists Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@yuumasato: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
ProfileBundles with custom content images are reverted to default images when the compliance-operator restarts (e.g., node reboots, pod crashes).
Root cause: The operator's
ensureDefaultProfileBundles()runs at startup and unconditionally patches existing ProfileBundles with the image from theRELATED_IMAGE_PROFILEenv var, which defaults to the CSV's default image.Impact: Tests using custom content images, from PRs for example, failed intermittently when the operator pod restarted during test execution.
Solution
Patch
Subscription.spec.config.envwithRELATED_IMAGE_PROFILEinstead of manually creating ProfileBundles. This ensures the operator uses the custom content image from startup.Why Subscription patch:
Subscription.spec.config.envis the designed OLM mechanism for env var overridesChanges
patchOperatorContentImage()to patch Subscription with custom env varwaitForOperatorRollout()to wait for Deployment rollout after patchensureTestProfileBundles()(no longer needed - 74 lines removed)Setup()flow: install → patch Subscription → wait for rollout → wait for valid ProfileBundlesTesting
Run this script to verify the fix: