Bug 2074659

Summary: AWS installconfig ValidateForProvisioning always provides blank values to validate zone records
Product: OpenShift Container Platform Reporter: Brent Barbachem <bbarbach>
Component: InstallerAssignee: Brent Barbachem <bbarbach>
Installer sub component: openshift-installer QA Contact: Yunfei Jiang <yunjiang>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: medium    
Version: 4.11   
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 11:06:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2077904    

Description Brent Barbachem 2022-04-12 18:00:17 UTC 
Thanks for opening a bug report!
Before hitting the button, please fill in as much of the template below as you can.
If you leave out information, it's harder to help you.
Be ready for follow-up questions, and please respond in a timely manner.
If we can't reproduce a bug we might close your issue.
If we're wrong, PLEASE feel free to reopen it and explain why.

Version: 4.11 (found)

will need to be back-ported

Platform:

AWS 

What happened?

Testing the ValidateForProvisioning functionality revealed that the validateZoneRecords function always receives an empty string for zoneName and zonePath. The two variables are declared at the top of the function, but they are locally set in the if/else below so they go out of scope before making it to the validateZoneRecords function.
Comment 1 Brent Barbachem 2022-04-12 18:11:41 UTC 
Provides False negative when searching for DNS Records. Empty String will always appear.
Comment 5 Brent Barbachem 2022-04-28 12:36:22 UTC 
Hello,

I found this issue while working on a Jira Card that involved testing a function called ValidateForProvisioning for AWS. The install config was using this value. There was not currently a test for this functionality, but the way that you could hit this code was through a platform provisioning check for AWS. The zone name was always blank when trying to validate the zones.

Is this enough to go off of?
Comment 6 Yunfei Jiang 2022-05-09 07:57:13 UTC 
Hello Brent, I tried following tests:

install-config:
<--SNIP-->
baseDomain: qe.devcluster.openshift.com
metadata:
  creationTimestamp: null
  name: yunjiang-aaaccc
platform:
  aws:
    region: us-east-2
    subnets:
    - subnet-034f5beb385a151c3
    - subnet-0f1f876a97ae76fd2
    - subnet-0219becdbf9d5519f
    - subnet-0979c17619fc8387e
    hostedZone: Z07770582ZWZBOWLV6AQJ <- private hosed zone: yunjiang-050953a.qe.devcluster.openshift.com
publish: External
<--SNIP-->

before applied fix (4.10):
FATAL failed to fetch Terraform Variables: failed to fetch dependency of "Terraform Variables": failed to generate asset "Platform Provisioning Check": aws.hostedZone: Invalid value: "Z07770582ZWZBOWLV6AQJ": hosted zone domain "yunjiang-050953a.qe.devcluster.openshift.com." is not a parent of the cluster domain "yunjiang-aaaccc.qe.devcluster.openshift.com."

after applied fix (4.11.0-0.nightly-2022-05-08-193101):
FATAL failed to fetch Terraform Variables: failed to fetch dependency of "Terraform Variables": failed to generate asset "Platform Provisioning Check": aws.hostedZone: Internal error: could not list record sets for domain "Z07770582ZWZBOWLV6AQJ": hosted zone domain "yunjiang-050953a.qe.devcluster.openshift.com." is not a parent of the cluster domain "yunjiang-aaaccc.qe.devcluster.openshift.com."

it looks like the installer of 4.11 went into code [1], but 4.10 did not [2]

[1] https://github.com/openshift/installer/blob/release-4.11/pkg/asset/installconfig/aws/validation.go#L395
[2] https://github.com/openshift/installer/blob/release-4.10/pkg/asset/installconfig/aws/validation.go#L398


I have some questions:
1. per 4.11 log message, the zoneName is Z07770582ZWZBOWLV6AQJ, is the expected?
2. error message `could not list record sets` was not shown in 4.10, is it ,is this related to the current modifications?
Comment 7 Brent Barbachem 2022-05-24 12:26:10 UTC 
1. per 4.11 log message, the zoneName is Z07770582ZWZBOWLV6AQJ, is the expected?

>>> yes, I believe that is the expected zoneName

2. error message `could not list record sets` was not shown in 4.10, is it ,is this related to the current modifications?

>>> That message would only appear on an error from getSubDomainDNSRecords. The "error" or indication of false data appears
when an error occurs in getSubDomainDNSRecords because the zoneName was not set correctly when passed to validateZoneRecords
Comment 8 Brent Barbachem 2022-05-24 17:32:37 UTC 
Ok, I was able to produce the error with an install-config. 

apiVersion: v1
baseDomain: bbarbach-public-zone.com
compute:
- architecture: amd64
  hyperthreading: Enabled
  name: worker
  platform: {}
  replicas: 3
controlPlane:
  architecture: amd64
  hyperthreading: Enabled
  name: master
  platform: {}
  replicas: 3
metadata:
  creationTimestamp: null
  name: bbarbach-zone-test
networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineNetwork:
  - cidr: 10.0.0.0/16
  networkType: OpenShiftSDN
  serviceNetwork:
  - 172.30.0.0/16
platform:
  aws:
    region: us-east-1
    subnets:
    - subnet-0412605e3e4a5e892
    - subnet-088e713b919753182
    hostedZone: Z0909126N1BWS293HVRS
publish: External


The hosted zone and subnets are ones that I created. When running this install-config with create cluster I get the following results:

FATAL failed to fetch Terraform Variables: failed to fetch dependency of "Terraform Variables": failed to generate asset "Platform Provisioning Check": <nil>: Internal error: could not list record sets for domain "": hosted zone domain "bbarbach-pvc.com." is not a parent of the cluster domain "bbarbach-zone-test.bbarbach-public-zone.com." 

The error message:
Internal error: could not list record sets for domain ""

should be filled with the correct hostedZone not an empty string. No matter what hostedZone name is there it would produce this result as it was not set when passed to the function.
Comment 9 Brent Barbachem 2022-05-24 17:33:18 UTC 
(In reply to Brent Barbachem from comment #8)
> Ok, I was able to produce the error with an install-config. 
> 
> apiVersion: v1
> baseDomain: bbarbach-public-zone.com
> compute:
> - architecture: amd64
>   hyperthreading: Enabled
>   name: worker
>   platform: {}
>   replicas: 3
> controlPlane:
>   architecture: amd64
>   hyperthreading: Enabled
>   name: master
>   platform: {}
>   replicas: 3
> metadata:
>   creationTimestamp: null
>   name: bbarbach-zone-test
> networking:
>   clusterNetwork:
>   - cidr: 10.128.0.0/14
>     hostPrefix: 23
>   machineNetwork:
>   - cidr: 10.0.0.0/16
>   networkType: OpenShiftSDN
>   serviceNetwork:
>   - 172.30.0.0/16
> platform:
>   aws:
>     region: us-east-1
>     subnets:
>     - subnet-0412605e3e4a5e892
>     - subnet-088e713b919753182
>     hostedZone: Z0909126N1BWS293HVRS
> publish: External
> 
> 
> The hosted zone and subnets are ones that I created. When running this
> install-config with create cluster I get the following results:
> 
> FATAL failed to fetch Terraform Variables: failed to fetch dependency of
> "Terraform Variables": failed to generate asset "Platform Provisioning
> Check": <nil>: Internal error: could not list record sets for domain "":
> hosted zone domain "bbarbach-pvc.com." is not a parent of the cluster domain
> "bbarbach-zone-test.bbarbach-public-zone.com." 
> 
> The error message:
> Internal error: could not list record sets for domain ""
> 
> should be filled with the correct hostedZone not an empty string. No matter
> what hostedZone name is there it would produce this result as it was not set
> when passed to the function.

This was tested against version 4.10 as 4.11 has the issue solved I believe.
Comment 10 Yunfei Jiang 2022-05-25 03:39:09 UTC 
Thanks Brent, I can hit the issue while setting "hosted zone domain is not a parent of the cluster domain".

> OCP 4.11.0-0.nightly-2022-05-20-213928

FATAL failed to fetch Terraform Variables: failed to fetch dependency of "Terraform Variables": failed to generate asset "Platform Provisioning Check": aws.hostedZone: Internal error: could not list record sets for domain "Z0832957144NMU2JF1TBH": hosted zone domain "yunjiang-0525r1.qe.devcluster.openshift.com." is not a parent of the cluster domain "yunjiang-0525rb.qe1.devcluster.openshift.com."

> OCP 4.10.12

FATAL failed to fetch Terraform Variables: failed to fetch dependency of "Terraform Variables": failed to generate asset "Platform Provisioning Check": <nil>: Internal error: could not list record sets for domain "": hosted zone domain "yunjiang-0525r1.qe.devcluster.openshift.com." is not a parent of the cluster domain "yunjiang-0525r2.qe1.devcluster.openshift.com."
Comment 12 errata-xmlrpc 2022-08-10 11:06:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069