Bug 1916454

Summary: teach CCO about upgradeability from 4.6 to 4.7
Product: OpenShift Container Platform Reporter: Joel Diaz <jdiaz>
Component: Cloud Credential OperatorAssignee: Joel Diaz <jdiaz>
Status: CLOSED ERRATA QA Contact: wang lin <lwan>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.7CC: lwan, tsze, yunjiang
Target Milestone: ---Flags: lwan: needinfo-
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1916868 (view as bug list) Environment:
Last Closed: 2021-02-24 15:53:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1916868    

Description Joel Diaz 2021-01-14 19:48:52 UTC 
Description of problem:
There are known new CredentialsRequests when upgrading from 4.6 to 4.7. Update the Upgradeable calculation that CCO performs to watch for these Secrets when CCO is in Manual mode (where the cluster admin is responsible for creating the Secrets).
Comment 2 wang lin 2021-01-18 09:16:38 UTC 
Verified on 4.7.0-0.nightly-2021-01-17-211555

1. install cluster on gcp with cco in Manual,
2. delete secret openshift-cluster-csi-drivers/gcp-pd-cloud-credentials, openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
3. check .status.conditions of co cloud-credential
$ oc get co cloud-credential -o json | jq -r ".status.conditions"
[
  {
    "lastTransitionTime": "2021-01-18T07:32:00Z",
    "message": "Credential minting is disabled by cluster admin",
    "reason": "OperatorDisabledByAdmin",
    "status": "True",
    "type": "Available"
  },
  {
    "lastTransitionTime": "2021-01-18T06:44:49Z",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2021-01-18T06:59:22Z",
    "status": "False",
    "type": "Progressing"
  },
  {
    "lastTransitionTime": "2021-01-18T08:20:20Z",
    "message": "Cannot upgrade manual mode cluster to 4.7 due to missing secret(s): [openshift-cluster-csi-drivers/gcp-pd-cloud-credentials openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds] Please see Manualy Creating IAM documentation for the cluster's platform.",
    "reason": "ManualModeMissingSecrets",
    "status": "False",
    "type": "Upgradeable"
  }
]

4. recreate secret openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds again, check .status.conditions of co cloud-credential
$ oc get co cloud-credential -o json | jq -r ".status.conditions"
[
  {
    "lastTransitionTime": "2021-01-18T07:32:00Z",
    "message": "Credential minting is disabled by cluster admin",
    "reason": "OperatorDisabledByAdmin",
    "status": "True",
    "type": "Available"
  },
  {
    "lastTransitionTime": "2021-01-18T06:44:49Z",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2021-01-18T06:59:22Z",
    "status": "False",
    "type": "Progressing"
  },
  {
    "lastTransitionTime": "2021-01-18T08:21:50Z",
    "message": "Cannot upgrade manual mode cluster to 4.7 due to missing secret(s): [openshift-cluster-csi-drivers/gcp-pd-cloud-credentials] Please see Manualy Creating IAM documentation for the cluster's platform.",
    "reason": "ManualModeMissingSecrets",
    "status": "False",
    "type": "Upgradeable"
  }
]
5. recreate secret openshift-cluster-csi-drivers/gcp-pd-cloud-credentials again, check .status.conditions of co cloud-credential, Upgradeable=Ture.
 oc get co cloud-credential -o json | jq -r ".status.conditions"
[
  {
    "lastTransitionTime": "2021-01-18T07:32:00Z",
    "message": "Credential minting is disabled by cluster admin",
    "reason": "OperatorDisabledByAdmin",
    "status": "True",
    "type": "Available"
  },
  {
    "lastTransitionTime": "2021-01-18T06:44:49Z",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2021-01-18T06:59:22Z",
    "status": "False",
    "type": "Progressing"
  },
  {
    "lastTransitionTime": "2021-01-18T08:22:24Z",
    "status": "True",
    "type": "Upgradeable"
  }
]

######
Hi,Joel cco supported mode in openstack and vsphere is Passthrough, I saw the codes are still including openstack and vsphere platform, do we need to test Manual mode for openstack and vsphere.
Comment 3 wang lin 2021-01-22 03:11:34 UTC 
don't need to test Manual mode for openstack and vsphere at current, installer will prevent the users setting cco to Manual mode.
Comment 6 errata-xmlrpc 2021-02-24 15:53:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633