Bug 1910372

Summary: Passthrough credentials are not immediately re-distributed on update
Product: OpenShift Container Platform Reporter: Akhil Rane <arane>
Component: Cloud Credential OperatorAssignee: Akhil Rane <arane>
Status: CLOSED ERRATA QA Contact: wang lin <lwan>
Severity: high Docs Contact:
Priority: high    
Version: 4.6CC: arane, dgoodwin, dgoodwin, jdiaz, lwan, molasaga, nstielau, rsandu, wking
Target Milestone: ---Keywords: Reopened
Target Release: 4.6.zFlags: arane: needinfo+
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1899515 Environment:
Last Closed: 2021-02-22 13:54:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1899515    
Bug Blocks:    

Comment 1 Nick Stielau 2021-02-03 19:24:50 UTC
I don't think this is a blocker, but want team's input.

Comment 2 Joel Diaz 2021-02-03 20:57:48 UTC
A blocker in what way? For 4.6?

Comment 8 wang lin 2021-02-18 11:26:11 UTC
Verified on 4.6.0-0.nightly-2021-02-17-215814 

For aws/gcp/azure/vsphere/openstack, when installing a cluster with secret only have passthrough peromissions(in other words, cco is in passthrough mode). after installation, updating root cred to another one(only have passthrough permission too), cco will immediately update all those related secrets.

Hi, Akhil
there is a situation, if cco is in mint mode in the beginning, then updating root creds to the one only have passthrough permission, cco will verify the root secret and set annotation to passthrough mode in root sectet CR , like "cloudcredential.openshift.io/mode": "passthrough", but in this situation, if I update root creds to another one which only have passthrough permission too, it will not follow this logic,cco will not  update those related secrets

Do we need to cover this situation, or do we need to document that this is not supported? the cco definitely is in passthrough mode now, but it can't immediately update those related secrets if in this situation.

Comment 9 wang lin 2021-02-19 01:18:30 UTC
I have asked Devan this question before, His suggestion is that we don't need to consider this situation at this time , I awlays feel that this is a possible scenario,  if we need cover this scenario later, will file a new bug to track.  Move this bug to Verified first.


Comment 11 errata-xmlrpc 2021-02-22 13:54:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.18 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 12 Red Hat Bugzilla 2023-09-15 00:56:39 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days