Bug 2068180

Summary: OCP UPI on AWS with STS enabled is breaking the Ingress operator
Product: OpenShift Container Platform Reporter: David Johnston <djohnsto>
Component: InstallerAssignee: Rafael Fonseca <rdossant>
Installer sub component: openshift-installer QA Contact: Yunfei Jiang <yunjiang>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: low CC: amcdermo, grizz, mmasters, msweiker, padillon, rdossant, wking, yunjiang
Version: 4.9   
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 11:01:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Johnston 2022-03-24 15:16:46 UTC 
Description of problem:
Ingress operator is trying to contact sts directly  "sts.amazonaws.com" as opposed to the configured VPC endpoint for the cluster. To be clear this is not ok as the cluster needs to be as air-gapped as possible. Also worth noting that other OCP components work fine with the STS VPC endpoint



OpenShift release version:
4.9.latest


Cluster Platform:
OCP AWS UPI

How reproducible:
Always



Actual results:


Expected results:


Impact of the problem:


Additional info:
Support case: 03157778


** Please do not disregard the report template; filling the template out as much as possible will allow us to help you. Please consider attaching a must-gather archive (via `oc adm must-gather`). Please review must-gather contents for sensitive information before attaching any must-gathers to a bugzilla report.  You may also mark the bug private if you wish.
Comment 2 David Johnston 2022-03-25 13:46:41 UTC 
Is there any possible known workaround for this in the meantime?
Comment 3 Miciah Dashiel Butler Masters 2022-03-29 15:38:48 UTC 
After some discussion offline, this appears to be a configuration issue.  Setting blocker-, low priority.  

For disconnected clusters, OpenShift can be configured not to manage DNS, and the cluster administrator can configure DNS manually.  Use the following command to configure OpenShift not to manage DNS:

    oc patch dnses.config.openshift.io/cluster --type=merge --patch='{"spec":{"privateZone":null,"publicZone":null}}' 

We may need a documentation change for this issue.
Comment 5 Patrick Dillon 2022-04-05 01:04:40 UTC 
Moving this to the installer. We will update docs to indicate that disconnected clusters must drop the zones from the dns configs.
Comment 13 errata-xmlrpc 2022-08-10 11:01:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069