Bug 1867262

Summary: MachineSets in GCP are failing to create Machines in a Shared (XPN) VPC environment
Product: OpenShift Container Platform Reporter: Brandon Smitley <bsmitley>
Component: Cloud ComputeAssignee: Joel Speed <jspeed>
Cloud Compute sub component: Other Providers QA Contact: Milind Yadav <miyadav>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: mimccune, openshift-bugs-escalate, takirby, zhsun
Version: 4.5   
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: Added the projectID field to the networkInterfaces Reason: To allow machines to be booted in shared VPCs Result: Machines can now request to be created in a shared VPC
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:26:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1868751    

Comment 7 Joel Speed 2020-08-11 14:20:05 UTC 
I'm raising a PR to try and fix this issue. Though I will need to do thorough testing before we can merge it due to the timing and nature of this bug.

An unknown for me currently is how the permissions will work for multiple projects, while we may be able to technically support this, we may not be able to leverage components such as the cloud credential operator to bootstrap credentials for Machines using this feature. (Though user provisioned credentials are already supported)
Comment 10 Joel Speed 2020-08-17 11:13:36 UTC 
Need to add an extra PR to fix the webhooks, moving to assigned
Comment 12 Milind Yadav 2020-08-18 07:18:28 UTC 
VALIDATED ON - 4.6.0-0.nightly-2020-08-18-005041

Steps:
1. Do an cluster install on GCP using upi-on-gcp/versioned-installer-xpn profile [choose - disable_worker_machineset: "no"]
2. Update machineset with below for network and projectID values based on your env.
      .
      .
        networkInterfaces:
          - network: aos-qe-network
            projectID: openshift-qe-shared-vpc
            subnetwork: aos-qe-master-subnet
          projectID: openshift-qe
     .
     .
[you can get these values from the machines in gcp console after installation]
3.Add "Compute Network User" role to service account miyadav-b62--openshift-m-8vq9x.gserviceaccount.com on the GCP host project mentioned in the template during installation - #host_project: "openshift-qe-shared-vpc"
get the service account name using - oc get credentialsrequests -n openshift-cloud-credential-operator openshift-machine-api-gcp -o json | jq -r '.status.providerStatus.serviceAccountID'

4.Scale the edited machineset 
new machines will be provisioned successfully and nodes are in ready state .
oc get machines -o wide 
.
.
miyadav-b62-6nv99-worker-f-mfbgf   Running   n1-standard-4   us-central1   us-central1-f   27m     miyadav-b62-6nv99-worker-f-mfbgf.c.openshift-qe.internal   gce://openshift-qe/us-central1-f/miyadav-b62-6nv99-worker-f-mfbgf   RUNNING

Expected - Machines should be provisioned successfully .

Additional Info:
Moved to VERIFIED
Comment 16 errata-xmlrpc 2020-10-27 16:26:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196