Bug 1898045

Summary: AWS EBS CSI Driver can not get updated cloud credential secret automatically
Product: OpenShift Container Platform Reporter: Qin Ping <piqin>
Component: StorageAssignee: Fabio Bertinatto <fbertina>
Storage sub component: Operators QA Contact: Qin Ping <piqin>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: medium CC: aos-bugs, hekumar, jsafrane, lwan, rsandu
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1915467 (view as bug list) Environment:
Last Closed: 2021-02-24 15:33:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1915467    

Description Qin Ping 2020-11-16 09:12:34 UTC
Description of Problem:
AWS EBS CSI Driver can not get updated cloud credential secret automatically

Version-Release number of selected component (if applicable):

How Reproducible:

Steps to Reproduce:
1. Setup an OCP cluster on AWS.
2. Update the `kube-system/aws-creds` secret object with a new aws_access_key_id and aws_secret_access_key pair
3. Check the cloud credential secret `openshift-cluster-csi-drivers/ebs-cloud-credentials`, it's updated.
4. Delete the old aws_access_key_id/aws_secret_access_key from the AWS web console
5. Create a PVC with gp2-csi storageclass

Actual Results:
Failed to provision PV.
Warning  ProvisioningFailed    <invalid>                ebs.csi.aws.com_ip-10-0-223-16_ab24404a-1e71-423f-b752-8a9aa8f98797  failed to provision volume with StorageClass "gp2-csi": rpc error: code = Internal desc = AuthFailure: AWS was not able to validate the provided access credentials
           status code: 401, request id: 68bd3337-968c-4c09-8d20-a8f29b17a166

Restart `aws-ebs-csi-driver-controller` pod, privisioned PV successfully.

But volume attach still failed.
I1116 08:58:16.960359       1 csi_handler.go:250] Failed to save attach error to "csi-539ab4fd32fc865739277a7fed3be2e92eb90187b2a3f5af9e722f81282d4f81": VolumeAttachment.storage.k8s.io "csi-539ab4fd32fc865739277a7fed3be2e92eb90187b2a3f5af9e722f81282d4f81" is invalid: status.attachError.message: Too long: must have at most 262144 bytes
I1116 08:58:16.960385       1 csi_handler.go:226] Error processing "csi-539ab4fd32fc865739277a7fed3be2e92eb90187b2a3f5af9e722f81282d4f81": failed to attach: rpc error: code = Internal desc = Could not attach volume "vol-0c0ee416e986e8377" to node "i-0e06acfd4ec62b78c": could not attach volume "vol-0c0ee416e986e8377" to node "i-0e06acfd4ec62b78c": UnauthorizedOperation: 

Expected Results:
After the cloud credential secret is updated, aws ebs csi driver still can work well.

Comment 1 Jan Safranek 2020-11-20 13:45:09 UTC
What I noticed other operators to do (e.g. openshift-apiserver-operator), they hash the secret content into the operand Deployment / DaemonSet pod annotations:
          operator.openshift.io/dep-openshift-apiserver.config.configmap: TsndwQ==
          operator.openshift.io/dep-openshift-apiserver.etcd-client.secret: XX2UTw==
          operator.openshift.io/dep-openshift-apiserver.etcd-serving-ca.configmap: 3uGrWw==

Whenever a Secret / ConfigMap changes, the operator will calculate a new hash and update the Deployment, which triggers redeployment (i.e. restart) of all pods. There should be some support for it in library-go.

Comment 10 Qin Ping 2021-01-18 09:13:57 UTC
Verified with: 4.7.0-0.nightly-2021-01-17-211555

Comment 13 errata-xmlrpc 2021-02-24 15:33:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.