Bug 2037061

Summary: aws and gcp CredentialsRequest manifests missing ServiceAccountNames list for cluster-api
Product: OpenShift Container Platform Reporter: Joel Diaz <jdiaz>
Component: Cloud ComputeAssignee: Michael McCune <mimccune>
Cloud Compute sub component: Other Providers QA Contact: wang lin <lwan>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: lwan, mimccune
Version: 4.10   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-12 04:40:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joel Diaz 2022-01-04 19:18:53 UTC 
Description of problem:
The CredentialsRequest manifests defined in https://github.com/openshift/cluster-capi-operator/blob/main/manifests/0000_30_capi-operator_00_credentials-request.yaml are missing the .spec.serviceAccountNames list.

This means when running in STS credentials mode on AWS or workload-identity mode in GCP, the IAM Role / IAM ServiceAccount cannot be locked down to a specific k8s ServiceAccount inside the cluster.

Version-Release number of selected component (if applicable): main branch


How reproducible: 100%


Steps to Reproduce:
1. View the CredentialsRequests objects in https://github.com/openshift/cluster-capi-operator/blob/main/manifests/0000_30_capi-operator_00_credentials-request.yaml
2. 
3.

Actual results:
See that there is no .spec.serviceAccountNames for the AWS and GCP resources.


Expected results:
.spec.serviceAccountNames is filled out to specify any k8s ServiceAccounts that will be used for making AWS / GCP API calls.


Additional info:
Comment 1 Michael McCune 2022-01-04 21:11:29 UTC 
*** Bug 2029833 has been marked as a duplicate of this bug. ***
Comment 2 Michael McCune 2022-01-04 21:12:34 UTC 
i failed to realize we already had a bug open for this, but since i have already posted the patch and linked it with this bz i have marked the other as a duplicate.

other bz https://bugzilla.redhat.com/show_bug.cgi?id=2029833
Comment 5 wang lin 2022-01-06 02:18:27 UTC 
Verified on registry.ci.openshift.org/ocp/release:4.10.0-0.nightly-2022-01-05-224703

$ export RELEASE_IMAGE=registry.ci.openshift.org/ocp/release:4.10.0-0.nightly-2022-01-05-224703
###For gcp platform
$ oc adm release extract --credentials-requests --cloud=gcp --to=./credrequests-gcp $RELEASE_IMAGE
$ cat credrequests-gcp/0000_30_capi-operator_00_credentials-request.yaml | grep serviceAccountNames
  serviceAccountNames:
Run command `./ccoctl gcp create-all --credentials-requests-dir credrequests-gcp --name lwan-gcp0106 --project openshift-qe --region us-central1 --output-dir gcp-secret`
won't hit error for cluster-api CredentialsRequest

###For aws platform
$ oc adm release extract --credentials-requests --cloud=aws --to=./credrequests-aws $RELEASE_IMAGE
$ cat credrequests-aws/0000_30_capi-operator_00_credentials-request.yaml | grep serviceAccountNames
  serviceAccountNames:
run command `./ccoctl aws create-all --credentials-requests-dir credrequests-aws/ --name lwan-aws-0106 --region us-east-2 --output-dir secret-aws`
won't hit error for cluster-api CredentialsRequest
Comment 8 errata-xmlrpc 2022-03-12 04:40:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056