Bug 2035315
| Summary: | invalid test cases for AWS passthrough mode | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Joel Diaz <jdiaz> |
| Component: | Cloud Credential Operator | Assignee: | Nobody <nobody> |
| Status: | CLOSED ERRATA | QA Contact: | wang lin <lwan> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.10 | CC: | lwan |
| Target Milestone: | --- | ||
| Target Release: | 4.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-10 16:36:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Joel Diaz
2021-12-23 14:50:20 UTC
Verified on 4.10.0-0.nightly-2021-12-23-153012 No function changes, Install an aws cluster with cco default mode and credential has passthrough permission , installation succeed, and test rotation root credentials no regression. Read PR more carefully, Do more testing on ocp 4.10.0-0.nightly-2021-12-25-025639
1. Install an aws cluster with cco default mode and credential has passthrough permission , wait for installation successful
2. Patch root credentials with an insuffient one, check cco will set an error condition in CredentialsRequest status and won't update related secret data
$ oc get credentialsrequest -n openshift-cloud-credential-operator openshift-image-registry -o json | jq -r ".status.conditions"
[
{
"lastProbeTime": "2021-12-28T13:16:32Z",
"lastTransitionTime": "2021-12-28T13:16:32Z",
"message": "cloud creds are insufficient to satisfy CredentialsRequest",
"reason": "CloudCredsInsufficient",
"status": "True",
"type": "InsufficientCloudCreds"
}
]
$ oc get secret aws-creds -n kube-system -o json | jq -r .data
{
"aws_access_key_id": "QUtJQVVNUUFIQ0pPRU9XXXXXXXX",
"aws_secret_access_key": "N3lpeVJ4V0R6ekRUSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
[lwan@lwan Downloads]$ oc get secret ebs-cloud-credentials -n openshift-cluster-csi-drivers -o json | jq -r .data
{
"aws_access_key_id": "QUtJQVVNUUFIQ0pPTlY2XXXXXXX",
"aws_secret_access_key": "Y2ljd2N0bGswakZrSXl3SVXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"credentials": "W2RlZmF1bHRdCmF3c19hY2Nlc3NfXXXXXXXXXXXXXXXX"
}
3. Force cco mode to Passthrough, then cco will bypass credentials validation
oc patch cloudcredential cluster --type 'merge' -p '{"spec": {"credentialsMode": "Passthrough"}}'
4. Check cco will update related secret data directly
$ oc get secret aws-creds -n kube-system -o json | jq -r .data
{
"aws_access_key_id": "QUtJQVVNUUFIQ0pPRU9XXXXXXXX",
"aws_secret_access_key": "N3lpeVJ4V0R6ekRUSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
[lwan@lwan Downloads]$ oc get secret ebs-cloud-credentials -n openshift-cluster-csi-drivers -o json | jq -r .data
{
"aws_access_key_id": "QUtJQVVNUUFIQ0pPRU9XXXXXXXX",
"aws_secret_access_key": "N3lpeVJ4V0R6ekRUSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"credentials": "W2RlZmF1bHRdCmF3c19hY2Nlc3NfXXXXXXXXXXXXXXXX"
}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |