Bug 1990975

Summary: ccoctl for IBM does not support not all possible environment variables to pass APIKEY
Product: OpenShift Container Platform Reporter: Akhil Rane <arane>
Component: Cloud Credential OperatorAssignee: Akhil Rane <arane>
Status: CLOSED ERRATA QA Contact: wang lin <lwan>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.9CC: lwan
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:45:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Akhil Rane 2021-08-06 17:23:33 UTC 
Description of problem:
Currently, ccoctl for ibm supports only "IC_API_KEY" environment variable to pass api key. Customers also use other environment variables like "IBMCLOUD_API_KEY", "BM_API_KEY" and "BLUEMIX_API_KEY" to pass api key. The ccoctl fails to generate valid installer manifests if environment variable other then "IC_API_KEY" is used.


Version-Release number of selected component (if applicable):
4.9.0

How reproducible:
Always

Steps to Reproduce:
1. Set api key with environment variable IBMCLOUD_API_KEY 
2. Run 'ccoctl ibmcloud create-shared-secrets'
3. Newly generated secrets do not have api key 

Actual results:
"IBMCLOUD_API_KEY", "BM_API_KEY" and "BLUEMIX_API_KEY" cannot be used to pass api key to ccoctl, resulting in invalid secret manifests.

Expected results:
"IBMCLOUD_API_KEY", "BM_API_KEY" and "BLUEMIX_API_KEY" can be used to pass api key to ccoctl, resulting in valid secret manifests.


Additional info:
Comment 2 wang lin 2021-08-23 05:04:12 UTC 
The issue has verified on 4.9.0-fc.0-x86_64

1. extract ccoctl tool from above image
$export RELEASE_IMAGE=quay.io/openshift-release-dev/ocp-release:4.9.0-fc.0-x86_64
$CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)
$oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a ~/.pull-secret
$chmod +x ccoctl

2. get credentials requests for ibmcloud
$oc adm release extract --credentials-requests --cloud=ibm --to=./credrequests-ibm $RELEASE_IMAGE

3.export ibm cloud apikey environment variables, and run `./ccoctl ibmcloud create-shared-secrets --credentials-requests-dir ./credrequests-ibm`

there are four environment variables IC_API_KEY, IBMCLOUD_API_KEY, BM_API_KEY and BLUEMIX_API_KEY
3.1 no environment variable setting, it will show the below error(correct)
$./ccoctl ibmcloud create-shared-secrets --credentials-requests-dir ./credrequests-ibm
Error: [IC_API_KEY IBMCLOUD_API_KEY BM_API_KEY BLUEMIX_API_KEY] environment variable not set

3.2 only set IC_API_KEY, the key can pass to secret(correct)
$export IC_API_KEY=FSNsXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
$export IBMCLOUD_API_KEY=""
$export BM_API_KEY=""
$export BLUEMIX_API_KEY=""

$./ccoctl ibmcloud create-shared-secrets --credentials-requests-dir ./credrequests-ibm
2021/08/23 12:56:48 Saved credentials configuration to: /home/lwan/ocp-install/ocp49/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
2021/08/23 12:56:48 Saved credentials configuration to: /home/lwan/ocp-install/ocp49/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml
$ cat manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
apiVersion: v1
stringData:
  ibmcloud_api_key: FSNsXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
kind: Secret
metadata:
  name: installer-cloud-credentials
  namespace: openshift-image-registry

3.3 only set IBMCLOUD_API_KEY, the key can pass to secret(correct)
export IC_API_KEY=""
export IBMCLOUD_API_KEY=FSNsXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
export BM_API_KEY=""
export BLUEMIX_API_KEY=""

$./ccoctl ibmcloud create-shared-secrets --credentials-requests-dir ./credrequests-ibm
2021/08/23 12:56:48 Saved credentials configuration to: /home/lwan/ocp-install/ocp49/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
2021/08/23 12:56:48 Saved credentials configuration to: /home/lwan/ocp-install/ocp49/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml
$ cat manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
apiVersion: v1
stringData:
  ibmcloud_api_key: FSNsXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
kind: Secret
metadata:
  name: installer-cloud-credentials
  namespace: openshift-image-registry

3.4 only set BM_API_KEY, the key can pass to secret(correct)

3.5 only set BLUEMIX_API_KEY, the key can pass to secret(correct)
Comment 5 errata-xmlrpc 2021-10-18 17:45:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759