Bug 2041329

Summary:	aws and gcp CredentialsRequest manifests missing ServiceAccountNames list for cloud-network-config-controller
Product:	OpenShift Container Platform	Reporter:	wang lin <lwan>
Component:	Networking	Assignee:	Casey Callendrello <cdc>
Networking sub component:	openshift-sdn	QA Contact:	wang lin <lwan>
Status:	CLOSED ERRATA	Docs Contact:
Severity:	high
Priority:	high	CC:	bpickard, lwan
Version:	4.10
Target Milestone:	---
Target Release:	4.10.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-03-10 16:40:08 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description wang lin 2022-01-17 06:41:16 UTC

Description of problem:
The CredentialsRequest manifests defined in https://github.com/openshift/cluster-network-operator/blob/master/manifests/02-cncc-credentials.yaml are missing the .spec.serviceAccountNames list.

This means when running in STS credentials mode on AWS or workload-identity mode in GCP, the IAM Role / IAM ServiceAccount cannot be locked down to a specific k8s ServiceAccount inside the cluster.

Version-Release number of selected component (if applicable): 
4.10

How reproducible: 100%


Steps to Reproduce:
1. View the CredentialsRequests objects in https://github.com/openshift/cluster-network-operator/blob/master/manifests/02-cncc-credentials.yaml
2. 
3.

Actual results:
See that there is no .spec.serviceAccountNames for the AWS and GCP resources.


Expected results:
.spec.serviceAccountNames is filled out to specify any k8s ServiceAccounts that will be used for making AWS / GCP API calls.


Additional info:
reference bug: 
https://bugzilla.redhat.com/show_bug.cgi?id=2037061
https://bugzilla.redhat.com/show_bug.cgi?id=2029833#c3

Comment 3 wang lin 2022-01-20 09:20:49 UTC

Verified on 4.10.0-0.nightly-2022-01-20-033924

1. 
export RELEASE_IMAGE=registry.ci.openshift.org/ocp/release:4.10.0-0.nightly-2022-01-20-033924
2.
oc adm release extract --credentials-requests --cloud=aws --to=./credrequests-aws $RELEASE_IMAGE
oc adm release extract --credentials-requests --cloud=gcp --to=./credrequests-gcp $RELEASE_IMAGE
oc adm release extract --credentials-requests --cloud=azure --to=./credrequests-azure $RELEASE_IMAGE

3. Check cncc cr, all have serviceAccountNames list
$ cat credrequests-aws/0000_50_cluster-network-operator_02-cncc-credentials.yaml
---
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
  name: openshift-cloud-network-config-controller-aws
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    - action:
      - ec2:DescribeInstances
      - ec2:DescribeInstanceStatus
      - ec2:DescribeInstanceTypes
      - ec2:UnassignPrivateIpAddresses
      - ec2:AssignPrivateIpAddresses
      - ec2:UnassignIpv6Addresses
      - ec2:AssignIpv6Addresses
      - ec2:DescribeSubnets
      - ec2:DescribeNetworkInterfaces
      effect: Allow
      resource: '*'
  secretRef:
    name: cloud-credentials
    namespace: openshift-cloud-network-config-controller
  serviceAccountNames:
  - cloud-network-config-controller
[lwan@lwan ocp410]$ cat credrequests-gcp/0000_50_cluster-network-operator_02-cncc-credentials.yaml
---
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
  name: openshift-cloud-network-config-controller-gcp
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: GCPProviderSpec
    predefinedRoles:
    - roles/compute.admin
  secretRef:
    name: cloud-credentials
    namespace: openshift-cloud-network-config-controller
  serviceAccountNames:
  - cloud-network-config-controller
[lwan@lwan ocp410]$ cat credrequests-azure/0000_50_cluster-network-operator_02-cncc-credentials.yaml
---
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
  name: openshift-cloud-network-config-controller-azure
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AzureProviderSpec
    roleBindings:
    - role: Contributor
  secretRef:
    name: cloud-credentials
    namespace: openshift-cloud-network-config-controller
  serviceAccountNames:
  - cloud-network-config-controller

Comment 6 errata-xmlrpc 2022-03-10 16:40:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056