Bug 2100852

Summary: worker-user-data secret couldn't be synced up from openshift-mahcine-api to openshift-cluster-api
Product: OpenShift Container Platform Reporter: sunzhaohua <zhsun>
Component: Cloud ComputeAssignee: Mike Fedosin <mfedosin>
Cloud Compute sub component: Other Providers QA Contact: sunzhaohua <zhsun>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: low    
Version: 4.11   
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:50:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description sunzhaohua 2022-06-24 13:18:22 UTC 
Description of problem:
On gcp worker-user-data secret couldn't be synced up from openshift-mahcine-api to openshift-cluster-api

Version-Release number of selected component (if applicable):
4.11.0-0.nightly-2022-06-23-153912

How reproducible:
Always

Steps to Reproduce:
1. Enable CAPI by featuregate
2. $ oc delete secret worker-user-data -n openshift-cluster-api
3. $ oc patch secret worker-user-data -p '{"data":{"username":"Zmlyc3QtdXNlcm5hbWUtdXBkYXRlCg=="}}' -n openshift-machine-api
4. Check if the secret content in openshift-machine-api and openshift-cluster-api are equal 
$ oc describe secret worker-user-data -n openshift-machine-api
$ oc describe secret worker-user-data -n openshift-cluster-api

Actual results:
The secret content in openshift-machine-api and openshift-cluster-api are not equal, log report "source and target secrets are equal, no sync needed"

$ oc describe secret worker-user-data -n openshift-machine-api                                                                                                                                                  
Name:         worker-user-data
Namespace:    openshift-machine-api
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
disableTemplating:  5 bytes
userData:           1745 bytes
username:           22 bytes

$ oc describe secret worker-user-data -n openshift-cluster-api                                                                                                                                                  
Name:         worker-user-data
Namespace:    openshift-cluster-api
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
value:  1745 bytes


624 13:17:03.971737       1 secret_sync_controller.go:42] controller/secret/SecretSyncController "msg"="reconciling worker user data secret" "name"="worker-user-data" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret"
I0624 13:17:03.971758       1 kubeconfig.go:87] controller/secret/KubeconfigController "msg"="Reconciling kubeconfig secret" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret"
I0624 13:17:03.972019       1 secret_sync_controller.go:72] controller/secret/SecretSyncController "msg"="source and target secrets are equal, no sync needed" "name"="worker-user-data" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret"
I0624 13:17:03.972196       1 secret_sync_controller.go:158] controller/secret "msg"="user Data Secret Controller is available" "name"="worker-user-data" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret"
I0624 13:17:03.982128       1 kubeconfig.go:87] controller/secret/KubeconfigController "msg"="Reconciling kubeconfig secret" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret"

Expected results:
The secret content in openshift-machine-api and openshift-cluster-api are equal.

Additional info:
Comment 1 Joel Speed 2022-07-04 15:14:26 UTC 
The logic only syncs a single key within the secret which this test isn't executing, we are going to improve the log messages to make sure it tells the user which keys it is syncing
Comment 3 sunzhaohua 2022-08-23 05:31:22 UTC 
Move to verified, the log has been improved.
4.12.0-0.nightly-2022-08-22-201543
I0823 05:29:30.129349       1 secret_sync_controller.go:72] controller/secret/SecretSyncController "msg"="user data in source and target secrets is the same, no sync needed" "name"="worker-user-data" "namespace"="openshift-machine-api" "reconciler group"="" "reconciler kind"="Secret"
I0823 05:29:30.129405       1 secret_sync_controller.go:158] controller/secret "msg"="user Data Secret Controller is available" "name"="worker-user-data" "namespace"="openshift-machine-api" "reconciler group"="" "reconciler kind"="Secret"
Comment 6 errata-xmlrpc 2023-01-17 19:50:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399