Bug 1899515

Summary: Passthrough credentials are not immediately re-distributed on update
Product: OpenShift Container Platform Reporter: Devan Goodwin <dgoodwin>
Component: Cloud Credential OperatorAssignee: Akhil Rane <arane>
Status: CLOSED ERRATA QA Contact: wang lin <lwan>
Severity: medium Docs Contact:
Priority: high    
Version: 4.7CC: arane, jdiaz, lwan, rsandu, wking
Target Milestone: ---Keywords: Reopened
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1910372 (view as bug list) Environment:
Last Closed: 2021-02-24 15:34:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1910372    

Description Devan Goodwin 2020-11-19 13:19:26 UTC 
Description of problem:

In passthrough mode the CCO copies the root credentials secret (kube-system/aws-creds etc) to all CredentialsRequests. When this root secret is updated, CCO is not presently immediately updating all those secrets as it incorrectly assumes if we've synced within last 2 hours, we should wait until a sync is due.

Version-Release number of selected component (if applicable):

4.6


How reproducible:

Very


Steps to Reproduce:
1. Deploy CCO in passthrough mode on AWS or any other cloud desired.
2. Update the root secret in kube-system/aws-creds
3. Observe any of the target Secrets specified in the CredentialsRequests in openshift-cloud-credential-operator namespace.

Actual results:

Change will not immediately flow out to the dependent secrets, potentially taking 2 hours.

Expected results:

Immediately update all dependent secrets.


Additional info:

Fixed in 4.7 already, but needs a backport to 4.6 and 4.5. Once in 4.6 we will cherry pick again to 4.5.
Comment 2 Devan Goodwin 2020-11-19 13:20:41 UTC 
Fixed in 4.7: https://github.com/openshift/cloud-credential-operator/pull/242
Comment 5 Devan Goodwin 2020-12-10 17:52:47 UTC 
After discussion with PM, we don't think there's any requirement today to backport this work to 4.6. Closing for now.
Comment 6 Devan Goodwin 2020-12-11 15:12:27 UTC 
Turns out somebody does need this. :) Reopening.
Comment 7 Akhil Rane 2020-12-21 19:17:24 UTC 
Is this needed in 4.5 too?
Comment 10 errata-xmlrpc 2021-02-24 15:34:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633