[release-4.16] OCPBUGS-58452: Failing=Unknown upon long CO updating

[openshift-cherrypick-robot]

This is an automated cherry-pick of #1165

/assign petr-muller

[openshift-ci-robot]

@openshift-cherrypick-robot: Jira Issue OCPBUGS-23514 has been cloned as Jira Issue OCPBUGS-58452. Will retitle bug to link to clone.
/retitle [release-4.16] OCPBUGS-58452: Failing=Unknown upon long CO updating

In response to this:

This is an automated cherry-pick of #1165

/assign petr-muller

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-58452, which is invalid:

• expected dependent Jira Issue OCPBUGS-23514 to target a version in 4.17.0, 4.17.z, but it targets "4.19.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This is an automated cherry-pick of #1165

/assign petr-muller

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[petr-muller]

/jira refresh

[openshift-ci-robot]

@petr-muller: This pull request references Jira Issue OCPBUGS-58452, which is invalid:

• expected dependent Jira Issue OCPBUGS-58451 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is New instead
• expected dependent Jira Issue OCPBUGS-23514 to target a version in 4.17.0, 4.17.z, but it targets "4.19.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[petr-muller]

/jira refresh

[openshift-ci-robot]

@petr-muller: This pull request references Jira Issue OCPBUGS-58452, which is invalid:

• expected dependent Jira Issue OCPBUGS-58451 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is New instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[wking]

/lgtm

Feel free to add backport-risk-assessed when you're ready, depending on however long you want to soak #1212.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: openshift-cherrypick-robot, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[PraffulKapse]

Test Scenario: Regression test Failing=True condition still works well during operator degraded(authentication).
Test Status: Passed
Step1: Install Cluster and degrade the CO authentication

pkapse@pkapse-mac Downloads % oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.16.0-0.nightly-2025-07-28-124528   True        False         40m     Cluster version is 4.16.0-0.nightly-2025-07-28-124528

pkapse@pkapse-mac Downloads % oc get co authentication 
NAME             VERSION                              AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication   4.16.0-0.nightly-2025-07-28-124528   True        False         False      41m     

pkapse@pkapse-mac Downloads % cat auth.yaml 
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: oidcidp 
    mappingMethod: claim 
    type: OpenID
    openID:
      clientID: test
      clientSecret: 
        name: test
      claims: 
        preferredUsername:
        - preferred_username
        name:
        - name
        email:
        - email
      issuer: https://www.idp-issuer.example.com

pkapse@pkapse-mac Downloads % oc apply -f auth.yaml 
Warning: resource oauths/cluster is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically.
oauth.config.openshift.io/cluster configured

pkapse@pkapse-mac Downloads % oc get co authentication 
NAME             VERSION                              AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication   4.16.0-0.nightly-2025-07-28-124528   True        False         True       49m     OAuthServerConfigObservationDegraded: failed to apply IDP oidcidp config: dial tcp: lookup www.idp-issuer.example.com on 172.30.0.10:53: no such host

Step2: Trigger an upgrade to image which contains the new changes.

pkapse@pkapse-mac Downloads % oc adm upgrade --to-image=registry.build10.ci.openshift.org/ci-ln-40w96fb/release:latest --allow-explicit-upgrade --force --allow-upgrade-with-warnings 
warning: Using by-tag pull specs is dangerous, and while we still allow it in combination with --force for backward compatibility, it would be much safer to pass a by-digest pull spec instead
warning: The requested upgrade image is not one of the available updates. You have used --allow-explicit-upgrade for the update to proceed anyway
warning: --force overrides cluster verification of your supplied release image and waives any update precondition failures.
warning: --allow-upgrade-with-warnings is bypassing: the cluster is experiencing an error reconciling "4.16.0-0.nightly-2025-07-28-124528":

  Reason: ClusterOperatorDegraded
  Message: Cluster operator authentication is degraded
Requested update to release image [registry.build10.ci.openshift.org/ci-ln-40w96fb/release:latest](http://registry.build10.ci.openshift.org/ci-ln-40w96fb/release:latest)

pkapse@pkapse-mac Downloads % export OC_ENABLE_CMD_UPGRADE_STATUS=true 
pkapse@pkapse-mac Downloads % oc adm upgrade status
Unable to fetch alerts, ignoring alerts in 'Update Health':  failed to get alerts from Thanos: no token is currently in use for this session
= Control Plane =
Assessment:      Progressing
Target Version:  4.16.0-0-2025-07-27-054505-test-ci-ln-40w96fb-latest (from 4.16.0-0.nightly-2025-07-28-124528)
Updating:        etcd, kube-apiserver
Completion:      3% (1 operators updated, 2 updating, 30 waiting)
Duration:        1m27s (Est. Time Remaining: 1h10m)
Operator Health: 32 Healthy, 1 Available but degradedx``

Control Plane Nodes
NAME                                        ASSESSMENT   PHASE     VERSION                              EST   MESSAGE
ip-10-0-41-207.us-east-2.compute.internal   Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     
ip-10-0-82-186.us-east-2.compute.internal   Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     
ip-10-0-90-213.us-east-2.compute.internal   Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     

= Worker Upgrade =

WORKER POOL   ASSESSMENT   COMPLETION   STATUS
worker        Pending      0% (0/3)     3 Available, 0 Progressing, 0 Draining

Worker Pool Nodes: worker
NAME                                        ASSESSMENT   PHASE     VERSION                              EST   MESSAGE
ip-10-0-55-182.us-east-2.compute.internal   Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     
ip-10-0-77-73.us-east-2.compute.internal    Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     
ip-10-0-93-56.us-east-2.compute.internal    Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     

= Update Health =
SINCE   LEVEL     IMPACT             MESSAGE
7m55s   Warning   API Availability   Cluster Operator authentication is degraded (OAuthServerConfigObservation_Error)

Step 3. Upgrade is triggered and CVO is throwing error after sometime for authentication operator and upgrade stuck with waiting up to 40 minutes on authentication.

pkapse@pkapse-mac Downloads % oc adm upgrade       
Failing=True:

  Reason: ClusterOperatorDegraded
  Message: Cluster operator authentication is degraded

info: An upgrade is in progress. Unable to apply 4.16.0-0-2025-07-27-054505-test-ci-ln-40w96fb-latest: an unknown error has occurred: MultipleErrors

warning: Cannot display available updates:
  Reason: NoChannel
  Message: The update channel has not been configured.
	

pkapse@pkapse-mac Downloads % oc adm upgrade status --details=all
Unable to fetch alerts, ignoring alerts in 'Update Health':  failed to get alerts from Thanos: no token is currently in use for this session
= Control Plane =
Assessment:      Progressing
Target Version:  4.16.0-0-2025-07-27-054505-test-ci-ln-40w96fb-latest (from 4.16.0-0.nightly-2025-07-28-124528)
Completion:      91% (30 operators updated, 0 updating, 3 waiting)
Duration:        44m (Est. Time Remaining: 12m)
Operator Health: 32 Healthy, 1 Available but degraded

Control Plane Nodes
NAME                                        ASSESSMENT   PHASE     VERSION                              EST   MESSAGE
ip-10-0-41-207.us-east-2.compute.internal   Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     
ip-10-0-82-186.us-east-2.compute.internal   Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     
ip-10-0-90-213.us-east-2.compute.internal   Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     

= Worker Upgrade =

WORKER POOL   ASSESSMENT   COMPLETION   STATUS
worker        Pending      0% (0/3)     3 Available, 0 Progressing, 0 Draining

Worker Pool Nodes: worker
NAME                                        ASSESSMENT   PHASE     VERSION                              EST   MESSAGE
ip-10-0-55-182.us-east-2.compute.internal   Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     
ip-10-0-77-73.us-east-2.compute.internal    Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     
ip-10-0-93-56.us-east-2.compute.internal    Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     

= Update Health =
Message: Cluster Operator authentication is degraded (OAuthServerConfigObservation_Error)
  Since:       50m48s
  Level:       Error
  Impact:      API Availability
  Reference:   https://github.com/openshift/runbooks/blob/master/alerts/cluster-monitoring-operator/ClusterOperatorDegraded.md
  Resources:
    clusteroperators.config.openshift.io: authentication
  Description: OAuthServerConfigObservationDegraded: failed to apply IDP oidcidp config: dial tcp: lookup www.idp-issuer.example.com on 172.30.0.10:53: no such host

Step4: Check CVO status Failing!=unknown and Progressing=True

pkapse@pkapse-mac Downloads % oc get clusterversion version -o yaml | yq '.status.conditions[]|select(.type=="Failing" or .type=="Progressing")'
lastTransitionTime: "2025-07-30T11:22:17Z"
status: "False"
type: Failing
lastTransitionTime: "2025-07-30T10:50:04Z"
message: 'Working towards 4.16.0-0-2025-07-27-054505-test-ci-ln-40w96fb-latest: 706 of 902 done (78% complete), waiting up to 40 minutes on authentication'
reason: ClusterOperatorDegraded
status: "True"
type: Progressing

Ste5: un-degrade the CO authentication

pkapse@pkapse-mac Downloads % cat un_auth.yaml 
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec: {}
pkapse@pkapse-mac Downloads % oc apply -f un_auth.yaml
oauth.config.openshift.io/cluster configured

Step6: Now CVO error should disappear then upgrade should resume.

pkapse@pkapse-mac Downloads % oc adm upgrade
info: An upgrade is in progress. Working towards 4.16.0-0-2025-07-27-054505-test-ci-ln-40w96fb-latest: 728 of 902 done (80% complete), waiting on dns, network

warning: Cannot display available updates:
  Reason: NoChannel
  Message: The update channel has not been configured.

pkapse@pkapse-mac Downloads % oc adm upgrade status
Unable to fetch alerts, ignoring alerts in 'Update Health':  failed to get alerts from Thanos: no token is currently in use for this session
= Control Plane =
Assessment:      Progressing
Target Version:  4.16.0-0-2025-07-27-054505-test-ci-ln-40w96fb-latest (from 4.16.0-0.nightly-2025-07-28-124528)
Updating:        dns, network
Completion:      91% (30 operators updated, 2 updating, 1 waiting)
Duration:        58m (Est. Time Remaining: 59m)
Operator Health: 33 Healthy

Control Plane Nodes
NAME                                        ASSESSMENT   PHASE     VERSION                              EST   MESSAGE
ip-10-0-41-207.us-east-2.compute.internal   Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     
ip-10-0-82-186.us-east-2.compute.internal   Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     
ip-10-0-90-213.us-east-2.compute.internal   Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     

= Worker Upgrade =

WORKER POOL   ASSESSMENT   COMPLETION   STATUS
worker        Pending      0% (0/3)     3 Available, 0 Progressing, 0 Draining

Worker Pool Nodes: worker
NAME                                        ASSESSMENT   PHASE     VERSION                              EST   MESSAGE
ip-10-0-55-182.us-east-2.compute.internal   Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     
ip-10-0-77-73.us-east-2.compute.internal    Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     
ip-10-0-93-56.us-east-2.compute.internal    Outdated     Pending   4.16.0-0.nightly-2025-07-28-124528   ?     

= Update Health =
SINCE    LEVEL   IMPACT   MESSAGE
58m12s   Info    None     Update is proceeding well

[PraffulKapse]

#Test Scenario: Failing=unknown when slow update happen for image-registry operator for >30 minutes.
Test Status: Passed

1. Install the 4.16 cluster.

pkapse@pkapse-mac Downloads % oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.16.0-0.nightly-2025-07-24-234922   True        False         6m10s   Cluster version is 4.16.0-0.nightly-2025-07-24-234922

2. Overrides the Image-registry operator.

pkapse@pkapse-mac Downloads % oc patch clusterversion.config.openshift.io version --type json -p '[{"op": "add", "path": "/spec/overrides", "value": [{"kind": "Deployment", "group": "apps", "namespace": "openshift-image-registry", "name": "cluster-image-registry-operator", "unmanaged": true}]}]' 
clusterversion.config.openshift.io/version patched

3. Upgrade the cluster with Build image.

pkapse@pkapse-mac Downloads % oc adm upgrade --force --allow-explicit-upgrade --allow-upgrade-with-warnings  --to-image registry.build10.ci.openshift.org/ci-ln-8nljj5k/release:latest
warning: Using by-tag pull specs is dangerous, and while we still allow it in combination with --force for backward compatibility, it would be much safer to pass a by-digest pull spec instead
warning: The requested upgrade image is not one of the available updates. You have used --allow-explicit-upgrade for the update to proceed anyway
warning: --force overrides cluster verification of your supplied release image and waives any update precondition failures.
Requested update to release image registry.build10.ci.openshift.org/ci-ln-8nljj5k/release:latest

4. After more than 30 min waiting getting image-registry over 30 minutes Failing=Unknown Reason: SlowClusterOperator

pkapse@pkapse-mac Downloads % oc adm upgrade
Failing=Unknown:

  Reason: SlowClusterOperator
  Message: waiting on image-registry over 30 minutes which is longer than expected

info: An upgrade is in progress. Working towards 4.16.0-0-2025-07-24-052605-test-ci-ln-8nljj5k-latest: 706 of 902 done (78% complete), waiting on image-registry over 30 minutes which is longer than expected

[PraffulKapse]

/label qe-approved

[petr-muller]

/retest-required

[petr-muller]

/jira refresh

[openshift-ci-robot]

@petr-muller: This pull request references Jira Issue OCPBUGS-58452, which is invalid:

• expected dependent Jira Issue OCPBUGS-58451 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@openshift-cherrypick-robot: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[petr-muller]

/label backport-risk-assessed

[petr-muller]

/jira refresh

[openshift-ci-robot]

@petr-muller: This pull request references Jira Issue OCPBUGS-58452, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.z) matches configured target version for branch (4.16.z)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-58451 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-58451 targets the "4.17.z" version, which is one of the valid target versions: 4.17.0, 4.17.z
• bug has dependents

Requesting review from QA contact:
/cc @dis016

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[petr-muller]

/verified by @PraffulKapse

Equivalent to the qe-approved after #1213 (comment)

[openshift-ci-robot]

@petr-muller: This PR has been marked as verified by @PraffulKapse.

In response to this:

/verified by @PraffulKapse

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@openshift-cherrypick-robot: Jira Issue Verification Checks: Jira Issue OCPBUGS-58452
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-58452 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

In response to this:

This is an automated cherry-pick of #1165

/assign petr-muller

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in accepted release 4.16.0-0.nightly-2025-09-06-014223

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: cluster-version-operator
This PR has been included in build cluster-version-operator-container-v4.16.0-202509060044.p0.gbe82028.assembly.stream.el9.
All builds following this will include this PR.