Bug 1937464
Summary: | openstack cloud credentials are not getting configured with correct user_domain_name across the cluster | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Sudarshan Chaudhari <suchaudh> |
Component: | Cloud Compute | Assignee: | Mike Fedosin <mfedosin> |
Cloud Compute sub component: | OpenStack Provider | QA Contact: | Itzik Brown <itbrown> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | high | ||
Priority: | high | CC: | adduarte, aos-bugs, arane, egarcia, itbrown, jaeichle, jdiaz, jkaur, jrouth, lwan, m.andre, mbooth, mfedosin, obulatov, pprinett |
Version: | 4.5 | Keywords: | Triaged |
Target Milestone: | --- | ||
Target Release: | 4.8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: Cluster Image Registry Operator considered user_domain_name as an immutable field and didn't modify it after installation.
Consequence: After update of user_domain_name in the main secret, the operator didn't accept this change and couldn't work with updated credentials.
Fix: Mark user_domain_name and other related domain field as mutable and do not store them in the image registry config.
Result: Updating of user_domain_name and all other auth parameters are now supported.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-07-27 22:52:37 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sudarshan Chaudhari
2021-03-10 17:28:22 UTC
I tested with a fresh installation as well. Used clouds.yaml for IPI installation (OCP 4.5, RHOSP13): clouds: openstack: auth: auth_url: https://osp.acme.cloud:13000/v3 username: my-user password: xxxxxxxxx project_name: myprojectname user_domain_name: myuserdoamin.name project_domain_name: default cacert: "/home/ansible_deployer/my_root_ca.pem" region_name: myregion interface: "public" Result: cluster installation failed. Registry is not coming up. Four Observations: a) registry falls back to use cinder in the first place instead of using swift (the user has the swift operator role, with the cli the user can create containers) b) the cinder volume cannot be mounted due to: "Failed to provision volume with StorageClass "standard": unable to initialize cinder client for region: myregion, err: cloud provider is not initialized: cannot initialize cloud provider using data from the secret: Authentication failed" c) when checking the openstack-credentials in kube-sustem, I can see that the clouds.yaml looks correct, however the clouds.conf looks like this: [Global] auth-url = "https://osp.acme.cloud:13000/v3" username = "myuser" password = "xxxxxxxx" tenant-name = "myprojectname" domain-name = "myuserdoamin.name" region = "myregion" ca-file = /etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem ---> user-domain-name is not there but domain-name instead, which looks surprising to me, but I might be wrong. d) when changing this clouds.conf in the secret by setting the user-domain-name instead of the domain-name, and then trying to create a PVC, I get the error that user-domain-name is not a valid config option under the [Global] section. Deployed with domain 'shiftstack' And verified that under 'swift' there is only the container entry $ oc get configs.imageregistry.operator.openshift.io/cluster -o json | jq .status.storage { "managementState": "Managed", "swift": { "container": "ostest-f228c-image-registry-yjdyrxtxocvqouruapcoegyqcpdkfsdyms" } } OCP: 4.8.0-0.nightly-2021-06-13-101614 OSP: RHOS-16.1-RHEL-8-20210506.n.1 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 Hello, Do we have any update for this to be backported to 4.6? The recent erratas do not includes this issue and it seems to be fixed since a while. (In reply to Sudarshan Chaudhari from comment #44) > Hello, > > Do we have any update for this to be backported to 4.6? > > The recent erratas do not includes this issue and it seems to be fixed since > a while. Hi Sudarshan, the fix is available starting from 4.8 and will not be backported to 4.6 due to risks associated with the backport. We've however documented a workaround to get past the issue in versions prior to 4.8: https://github.com/openshift/installer/blob/master/docs/user/openstack/known-issues.md#changing-user-domain-for-image-registry |