Bug 2006364
| Summary: | IBM Cloud: Set resourceGroupId for resourceGroups, not simply resource | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Christopher J Schaefer <cschaefe> |
| Component: | Cloud Credential Operator | Assignee: | Nobody <nobody> |
| Status: | CLOSED ERRATA | QA Contact: | wang lin <lwan> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.10 | CC: | lwan, mkumatag, mkumatag |
| Target Milestone: | --- | ||
| Target Release: | 4.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-10 16:12:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Christopher J Schaefer
2021-09-21 14:29:22 UTC
Hi Manjunath,
I am a newer for ibm cloud, when i run the command `$ ccoctl ibmcloud create-shared-secrets --credentials-requests-dir=... --output-dir=... --resource-group-name=ccotest-rg`
the output is like below, i can't find an attribute with name resourceType and value resource-group. could you show me more info how to reproduce or verify this issue?
###
{
"attributes": [
{
"name": "serviceName",
"value": "power-iaas",
"operator": "stringEquals"
},
{
"name": "resourceGroupId",
"value": "7e8025a578aa4a0a90XXXXXXXX",
"operator": "stringEquals"
},
{
"name": "accountId",
"value": "fdc2e14cf8bc4d53XXXXXXXX",
"operator": "stringEquals"
}
]
}
###
As mentioned here https://github.com/openshift/cloud-credential-operator/pull/385#pullrequestreview-759283773, this issue happens only of for the attribute type - resource-group, you can use the following CR to test this: ``` apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: cred1 namespace: openshift-cloud-credential-operator spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: IBMCloudProviderSpec policies: - roles: - "crn:v1:bluemix:public:iam::::serviceRole:Manager" - "crn:v1:bluemix:public:iam::::role:Editor" - "crn:v1:bluemix:public:iam::::role:Viewer" attributes: - name: "serviceName" value: "is" - roles: - "crn:v1:bluemix:public:iam::::role:Viewer" - "crn:v1:bluemix:public:iam::::role:Operator" attributes: - name: "resourceType" value: "resource-group" secretRef: namespace: openshift-machine-api name: ibm-cred-4 ``` Note: contains the `resource-group` in the second policy. Thanks Manjunath.
Verified on registry.ci.openshift.org/ocp/release:4.10.0-0.ci-2021-09-22-030936 with this fix , the output is as expected.
{
"attributes": [
{
"name": "resourceType",
"value": "resource-group",
"operator": "stringEquals"
},
{
"name": "resource",
"value": "7e8025a578aa4a0a9XXXXXX",
"operator": "stringEquals"
},
{
"name": "accountId",
"value": "fdc2e14cf8bc4d53aXXXXXX",
"operator": "stringEquals"
}
]
}
using image without this fix:registry.ci.openshift.org/ocp/release:4.10.0-0.ci-2021-09-19-144306, it will show the below
{
"attributes": [
{
"name": "resourceType",
"value": "resource-group",
"operator": "stringEquals"
},
{
"name": "resourceGroupId",
"value": "7e8025a578aa4a0XXXXXXXXXX",
"operator": "stringEquals"
},
{
"name": "accountId",
"value": "fdc2e14cf8bc4dXXXXXXXXXX",
"operator": "stringEquals"
}
]
}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |