Bug 1927157

Summary: [aws-c2s] STS is not supported on C2S region
Product: OpenShift Container Platform Reporter: Yunfei Jiang <yunjiang>
Component: Cloud Credential OperatorAssignee: Devan Goodwin <dgoodwin>
Status: CLOSED WONTFIX QA Contact: wang lin <lwan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.7CC: gshereme, mstaeble, rsandu, yunjiang
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-02 00:26:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yunfei Jiang 2021-02-10 09:10:15 UTC 
Currently sts-preflight tool [1] or manual way [2] does not support STS on C2S region [3][4][5]

Creating this bug to track this feature to be supported on C2S.


[1] https://github.com/openshift/cloud-credential-operator/pull/290
[2] https://issues.redhat.com/browse/CCO-62
[3] https://github.com/openshift/cloud-credential-operator/pull/290#issuecomment-774636639
[4] https://github.com/openshift/cloud-credential-operator/pull/290#issuecomment-775161145
[5] https://github.com/openshift/cloud-credential-operator/pull/290#issuecomment-776051214
Comment 1 Greg Sheremeta 2021-02-16 17:06:03 UTC 
this will be resolved by work in 4.8

not a blocker for 4.7
Comment 2 Greg Sheremeta 2021-03-02 00:26:35 UTC 
The current design of STS cannot work in C2S. Unfortunately C2S needs to be treated like an entirely new platform for CCO purposes, and we require the usual RFE process for that. Obsoleting.
Comment 4 Matthew Staebler 2021-03-08 18:40:32 UTC 
@yunjiang Customers are going to need to get credentials from the CAP endpoint for all of the operators that need credentials. The customer will be responsible for implementing some means by which the credentials are periodically refreshed. I have put together a reference implementation of a cronjob that refreshes the credentials automatically. See https://github.com/staebler/cap-token-refresh.
Comment 5 Yunfei Jiang 2021-03-10 14:22:10 UTC 
Matthew, I've integrated CAP into our CI system, they work fine, checked cap-token-refresh logs and Secret, the credential were refreshed regularly.

I also got two questions:
1. The default expiration time of AWS credential created by CAP is one hour, is there a way to change this value?
2. Looks like we can not refresh the AWS credential during the OCP installation process, in most cases, the installation will be finished within 1 hour, but what will happen if it takes more than 1 hour? Even if we could refresh `~/.aws/credentials` during the installation,  the installer will not reload the new credential, is it right?

Thanks.
Comment 6 Matthew Staebler 2021-03-10 16:00:29 UTC 
(In reply to Yunfei Jiang from comment #5)
> Matthew, I've integrated CAP into our CI system, they work fine, checked
> cap-token-refresh logs and Secret, the credential were refreshed regularly.
> 
> I also got two questions:
> 1. The default expiration time of AWS credential created by CAP is one hour,
> is there a way to change this value?

I am pretty sure that there is a query parameter that you can add to the CAP URL to request a different lifetime for the credentials. I even have some recollection of seeing it at some point. But recently I have not been able to find any documentation for it.

> 2. Looks like we can not refresh the AWS credential during the OCP
> installation process, in most cases, the installation will be finished
> within 1 hour, but what will happen if it takes more than 1 hour? Even if we
> could refresh `~/.aws/credentials` during the installation,  the installer
> will not reload the new credential, is it right?

That is correct. The installer will not reload new credentials. But, the installer credentials are only needed up until the installer finishes the terraform phase.

> 
> Thanks.