Bug 1981694

Summary: Restrict Noobaa from creating public endpoints for IBM ROKS Private cluster
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Sahina Bose <sabose>
Component: Multi-Cloud Object GatewayAssignee: Liran Mauda <lmauda>
Status: CLOSED ERRATA QA Contact: Ben Eli <belimele>
Severity: high Docs Contact:
Priority: high    
Version: 4.6CC: akgunjal, dzaken, etamir, ikave, lmauda, muagarwa, nbecker, nberry, ocs-bugs, odf-bz-bot, rperiyas, shrao
Target Milestone: ---Keywords: Automation, Regression
Target Release: ODF 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.10.0-113 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-13 18:49:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sahina Bose 2021-07-13 07:36:57 UTC 
This bug was initially created as a copy of Bug #1954708

I am copying this bug because: 



Description of problem (please be detailed as possible and provide log
snippests):
OCS installation creates Public IPs even with OCP installed as Private cluster on  IBM ROKS.


Version of all relevant components (if applicable):
OCS 4.x

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
Yes, public endpoints are not expected on a private cluster

Is there any workaround available to the best of your knowledge?
Workarounds provided in Bug 1954708 were tried but did not work. Here's update from Shirisha from IBM team:
We tried both the workarounds suggested :

1. Annotate the LB
     However, this wasn't possible as it said

Warning  CreatingCloudLoadBalancerFailed  3s                 
ibm-cloud-provider  Error on cloud load balancer
kube-c2jpf1n20k1p2v6es490-9b45719fc38045b4b9d7fc13326614c4 for service
openshift-storage/noobaa-mgmt with UID 9b45719f-c380-45b4-b9d7-fc13326614c4:
Failed ensuring LoadBalancer: UpdateLoadBalancer failed: The load balancer was
created as a public load balancer. This setting can not be changed

2. Create an egress firewall:
     Couldn't create it as the link provided worked only if openshift SDN was
used, but IBM ROKS uses calico SDN.
     Also, this is only a policy that can be used to control the traffic.


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
2

Can this issue reproducible?
Yes.

Can this issue reproduce from the UI?
Yes.

If this is a regression, please provide more details to justify this:
No. 

Actual results:
The creation of the Public IPs was unexpected and unwanted in internal clusters.

Expected results:
Restrict Noobaa from creating any Public resources for Private clusters.

Additional info:
Comment 1 Nimrod Becker 2021-07-21 06:58:22 UTC 
Setting 4.9, can clone to 4.8.z if needed
Comment 2 Shirisha S Rao 2021-09-17 09:33:16 UTC 
@nbecker Do we need LBs in a private cluster as there is no inbound connectivity.
Also, will the fix for this available soon?
Comment 10 Nimrod Becker 2022-01-18 09:17:32 UTC 
Deploy ODF on a cloud ...
See that the public endpoint/route was created.

Update the yaml to disable public route, delete the public route and see its not re-created
Comment 11 Sahina Bose 2022-01-21 10:40:01 UTC 
@akgunjal.com Akash, can someone from your team help qualify this on ROKS?
Comment 14 Liran Mauda 2022-01-25 13:17:07 UTC 
Test Instructions:

The fix is about giving a way to change the service from LoadBalancer to ClusterIP

If you want to change the service from LoadBalancer to ClusterIP all you need to do is edit the CRD and add `disableLoadBalancerService: true`


TL;DR

run: `kubectl edit noobaa noobaa`

and then
...
      memory: 500M
    requests:
      cpu: 100m
      memory: 500M
  dbType: postgres
  disableLoadBalancerService: true         <--------------- Add this 
  endpoints:
    maxCount: 1
    minCount: 1
...

Best Regards,
Liran.
Comment 15 Shirisha S Rao 2022-02-14 13:41:37 UTC 
Since the fix is not backported to 4.9.0 and is present on 4.10.0, it cannot be tested on ROKS currently
Comment 23 errata-xmlrpc 2022-04-13 18:49:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1372
Comment 24 Red Hat Bugzilla 2023-12-08 04:25:43 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days