Bug 2064428

Summary: CCO mint mode will not work for Azure after sunsetting of Active Directory Graph API
Product: OpenShift Container Platform Reporter: sumehta
Component: Cloud Credential OperatorAssignee: sumehta
Status: CLOSED ERRATA QA Contact: Shivanthi <lamarach>
Severity: high Docs Contact:
Priority: high    
Version: 4.7CC: aos-bugs, jrouth, jshu
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2066403 (view as bug list) Environment:
Last Closed: 2022-04-11 11:28:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2058270    
Bug Blocks: 2066403    

Description sumehta 2022-03-15 19:32:14 UTC 
Description of problem:
(copied from https://bugzilla.redhat.com/show_bug.cgi?id=2058270)

With the upcoming sunset of the Azure AD Graph API on June 30 2022, CCO will no longer be able to reliably create ServicePrincipals while processing a CredentialsRequest in Mint mode. We cannot transition to a new API yet as Go SDK support is not production ready.


Version-Release number of selected component (if applicable):
4.8

How reproducible:
Always (after June 30 2022)

Steps to Reproduce:
1. Install OpenShift cluster on Azure in Mint mode after June 30 2022

Actual results:
CCO will fail to provision Credentials Request and cluster install will not succeed

Expected results:
CCO should be able to provision Credentials Request and cluster install should succeed

Additional info:

Link to azure announcement indicating that Azure AD Graph API will be sunset - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363
Comment 1 sumehta 2022-03-18 14:21:50 UTC 
Moving to Verified since QA verified on the PR - https://github.com/openshift/cloud-credential-operator/pull/455#issuecomment-1072304689
/cc @jshu
Comment 2 Jianping SHu 2022-03-18 22:46:02 UTC 
QE verification done as on the PR.
Comment 5 errata-xmlrpc 2022-04-11 11:28:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.7.47 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1166