Bug 2037331

Summary: Ensure the ccoctl behaviors are similar between aws and gcp on the existing resources
Product: OpenShift Container Platform Reporter: wang lin <lwan>
Component: Cloud Credential OperatorAssignee: Akhil Rane <arane>
Status: CLOSED ERRATA QA Contact: wang lin <lwan>
Severity: medium Docs Contact:
Priority: high    
Version: 4.10CC: lwan
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:37:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description wang lin 2022-01-05 13:07:23 UTC 
Description:
When using ccoctl to create resources on aws and gcp with some of resources already existing, it will use the existing ones on aws , conversely, it will throw an error on gcp
###gcp###
$ ./ccoctl gcp create-all --credentials-requests-dir credrequests-gcp --name lwan-gcp0105 --project openshift-qe --region us-central1 --output-dir test-gcp-secret
2022/01/05 20:54:20 Credentials loaded from file "/home/lwan/.gcp/osServiceAccount.json"
2022/01/05 20:54:20 Using existing RSA keypair found at test-gcp-secret/serviceaccount-signer.private
2022/01/05 20:54:20 Copying signing key for use by installer
2022/01/05 20:54:23 Failed to create workload identity pool: failed to create workload identity pool lwan-gcp0105: googleapi: Error 409: Requested entity already exists, alreadyExists
###aws###
$ ./ccoctl aws create-all --credentials-requests-dir credrequests-aws/ --name lwan-aws-0105 --region us-east-2 --output-dir secret-aws
2022/01/05 21:05:14 Using existing RSA keypair found at secret-aws/serviceaccount-signer.private
2022/01/05 21:05:14 Copying signing key for use by installer
2022/01/05 21:05:15 Bucket lwan-aws-0105-oidc already exists and is owned by the user
2022/01/05 21:05:16 OpenID Connect discovery document in the S3 bucket lwan-aws-0105-oidc at .well-known/openid-configuration updated
2022/01/05 21:05:16 Reading public key
2022/01/05 21:05:16 JSON web key set (JWKS) in the S3 bucket lwan-aws-0105-oidc at keys.json updated
2022/01/05 21:05:18 Existing Identity Provider found with ARN: arn:aws:iam::301721915996:oidc-provider/lwan-aws-0105-oidc.s3.us-east-2.amazonaws.com
2022/01/05 21:05:18 Ignoring CredentialsRequest openshift-cloud-credential-operator/cr-test-stale as it is marked for in-cluster deletion
2022/01/05 21:05:19 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-machine-api-aws-cloud-credentials found
2022/01/05 21:05:19 Updated Role policy for Role lwan-aws-0105-openshift-machine-api-aws-cloud-credentials
2022/01/05 21:05:19 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-cloud-credential-operator-cloud-credenti found
2022/01/05 21:05:20 Updated Role policy for Role lwan-aws-0105-openshift-cloud-credential-operator-cloud-credenti
2022/01/05 21:05:20 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-image-registry-installer-cloud-credentia found
2022/01/05 21:05:20 Updated Role policy for Role lwan-aws-0105-openshift-image-registry-installer-cloud-credentia
2022/01/05 21:05:20 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-ingress-operator-cloud-credentials found
2022/01/05 21:05:21 Updated Role policy for Role lwan-aws-0105-openshift-ingress-operator-cloud-credentials
2022/01/05 21:05:21 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-cluster-csi-drivers-ebs-cloud-credential found
2022/01/05 21:05:21 Updated Role policy for Role lwan-aws-0105-openshift-cluster-csi-drivers-ebs-cloud-credential

How reproducible:
Always

Steps to Reproduce:
1. Run the ccoctl create command with the same name twice on both aws and gcp

Actual result:
The behaviors are different between aws and gcp

Expected result:
The behaviors would better to be similar
Comment 2 wang lin 2022-01-14 04:56:52 UTC 
Verified on registry.ci.openshift.org/ocp/release:4.10.0-0.ci-2022-01-14-034708

###
Running the below command twice, won't throw error.
$ ./ccoctl gcp create-all --credentials-requests-dir credrequests-gcp --name lwan-gcp0114 --project openshift-qe --region us-central1 --output-dir test-gcp-secret-3
2022/01/14 12:45:06 Credentials loaded from file "/home/lwan/.gcp/osServiceAccount.json"
2022/01/14 12:45:06 Generating RSA keypair
2022/01/14 12:45:09 Writing private key to test-gcp-secret-3/serviceaccount-signer.private
2022/01/14 12:45:09 Writing public key to test-gcp-secret-3/serviceaccount-signer.public
2022/01/14 12:45:09 Copying signing key for use by installer
2022/01/14 12:45:11 Workload identity pool lwan-gcp0114 already exists
2022/01/14 12:45:12 Bucket lwan-gcp0114-oidc already exists
2022/01/14 12:45:13 OpenID Connect discovery document in the S3 bucket lwan-gcp0114-oidc at .well-known/openid-configuration updated
2022/01/14 12:45:13 Reading public key
2022/01/14 12:45:14 JSON web key set (JWKS) in the S3 bucket lwan-gcp0114-oidc at keys.json updated
2022/01/14 12:45:14 Workload identity provider lwan-gcp0114 already exists in pool lwan-gcp0114
2022/01/14 12:45:26 Existing IAM service account lwan-gcp0114-openshift-gcp-ccm found
2022/01/14 12:45:28 Updated policy bindings for IAM service account lwan-gcp0114-openshift-gcp-ccm
2022/01/14 12:45:28 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-cloud-controller-manager-gcp-ccm-cloud-credentials-credentials.yaml
2022/01/14 12:45:40 Existing IAM service account lwan-gcp0114-openshift-cluster-api-gcp found
2022/01/14 12:45:41 Updated policy bindings for IAM service account lwan-gcp0114-openshift-cluster-api-gcp
2022/01/14 12:45:41 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-cluster-api-gcp-cloud-credentials-credentials.yaml
2022/01/14 12:45:52 Existing IAM service account lwan-gcp0114-openshift-machine-api-gcp found
2022/01/14 12:45:53 Updated policy bindings for IAM service account lwan-gcp0114-openshift-machine-api-gcp
2022/01/14 12:45:53 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-machine-api-gcp-cloud-credentials-credentials.yaml
2022/01/14 12:46:04 Existing IAM service account lwan-gcp0114-cloud-credential-operator-gcp-ro-creds found
2022/01/14 12:46:06 Updated policy bindings for IAM service account lwan-gcp0114-cloud-credential-operator-gcp-ro-creds
2022/01/14 12:46:06 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-cloud-credential-operator-cloud-credential-operator-gcp-ro-creds-credentials.yaml
2022/01/14 12:46:16 Existing IAM service account lwan-gcp0114-openshift-image-registry-gcs found
2022/01/14 12:46:19 Updated policy bindings for IAM service account lwan-gcp0114-openshift-image-registry-gcs
2022/01/14 12:46:19 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
2022/01/14 12:46:29 Existing IAM service account lwan-gcp0114-openshift-ingress-gcp found
2022/01/14 12:46:30 Updated policy bindings for IAM service account lwan-gcp0114-openshift-ingress-gcp
2022/01/14 12:46:30 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml
2022/01/14 12:46:41 Existing IAM service account lwan-gcp0114-openshift-gcp-pd-csi-driver-operator found
2022/01/14 12:46:42 Updated policy bindings for IAM service account lwan-gcp0114-openshift-gcp-pd-csi-driver-operator
2022/01/14 12:46:42 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-cluster-csi-drivers-gcp-pd-cloud-credentials-credentials.yaml
Comment 7 errata-xmlrpc 2022-03-10 16:37:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056