Bug 1998432

Summary: Unable to use application credentials for Cinder / Swift volumes when installing on OpenStack
Product: OpenShift Container Platform Reporter: Emmanuel Kasper <ekasprzy>
Component: InstallerAssignee: Pierre Prinetti <pprinett>
Installer sub component: OpenShift on OpenStack QA Contact: Udi Shkalim <ushkalim>
Status: CLOSED WONTFIX Docs Contact:
Severity: low    
Priority: medium CC: bverschu, imatza, m.andre, pprinett
Version: 4.8Keywords: Triaged
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: cluster-image-registry's swift integration did not work with application credentials Consequence: Tech preview installations with External Cloud Providewr, relying on Application credentials, could not properly deploy Fix: with this change, cluster-image-registry's swift integration works with application credentials Result: Tech preview installations with External Cloud Providewr, relying on Application credentials, can now deploy, although they can't have Load Balancer integration.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-23 09:53:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Emmanuel Kasper 2021-08-27 07:50:45 UTC 
What problem/issue/behavior are you having trouble with?  What do you expect to see?
While trying to install an OCP 4 cluster on openstack with application credentials, the cluster itself works fine, but it is not possible to provision volumes on cinder, getting an error similar to:

Failed to provision volume with StorageClass "standard": unable to initialize cinder client for region: regionOne, err: cloud provider is not initialized: cannot initialize cloud provider using data from the secret: You must provide a password to authenticate.

The issue is mentioned by the following KB article: https://access.redhat.com/solutions/6020241
Comment 2 Pierre Prinetti 2021-08-27 08:22:21 UTC 
Thank you for reporting. We plan on tackling this during the 4.10 release cycle.

See also https://issues.redhat.com/browse/OSASINFRA-1934
Comment 3 Bram Verschueren 2021-09-02 13:48:58 UTC 
If I'm not mistaken the problem is that the image-registry-operator verifies whether swift is available (https://github.com/openshift/cluster-image-registry-operator/blob/48485bb2206c8829b7b07904e3585816ed39485f/pkg/storage/storage.go#L162) which fails when used with application credentials (see https://bugzilla.redhat.com/show_bug.cgi?id=1991826) so it falls back to using cinder-based PVC's. The default storageClass however is the in-tree (non-CSI) cinder plugin which does not consider application credentials (https://github.com/kubernetes/kubernetes/blob/2a88664eccdf02cd01777b48171873a028117737/staging/src/k8s.io/legacy-cloud-providers/openstack/openstack.go#L158-L173) causing gophercloud to error out (https://github.com/gophercloud/gophercloud/blob/513734676e6495f6fec60e7aaf1f86f1ce807428/auth_options.go#L201-L285).
Comment 6 ShiftStack Bugwatcher 2021-11-25 16:12:16 UTC 
Removing the Triaged keyword because:

* the QE automation assessment (flag qe_test_coverage) is missing
Comment 8 Martin André 2021-12-20 15:17:17 UTC 
Hello, let me try to summarize the situation and provide a way forward with this BZ.

- the in-tree cloud provider does not support application credentials [1]. It is currently in maintenance mode and we can't add new features to it.
- both the external cloud provider and the CSI drivers support application credentials [2]
- cluster-image-registry's swift integration also now works with application credentials thanks to https://github.com/openshift/cluster-image-registry-operator/pull/686

It means that when using External cloud provider and CSI migration things should work out of the box. This should become tech preview in 4.10 before becoming GA in a later release.

Clusters using the in-tree cloud provider may partially work with application credentials when using CSI, either by enabling CSI migration (still tech preview) or setting the standard-csi storage class as default, however they can't have Load Balancer integration. This also won't be a supported configuration.

I suggest we close the BZ as there is nothing we can do to support application credentials with the legacy cloud provider and instead follow https://issues.redhat.com/browse/OSASINFRA-2368 for the application credentials RFE.

[1] https://github.com/openshift/kubernetes/blob/fdb6e2b/staging/src/k8s.io/legacy-cloud-providers/openstack/openstack.go#L164-L180
[2] https://github.com/openshift/cloud-provider-openstack/blob/cab1ef2/pkg/client/client.go#L72-L74
Comment 9 Pierre Prinetti 2022-03-23 09:53:42 UTC 
Closing as WONTFIX for 4.10 and earlier releases. Application credentials support is treated as an RFE and we target 4.11 for it (with the general availability of the external cloud provider).