Bug 1630319 - Failed to deploy standalone master using instance profile
Summary: Failed to deploy standalone master using instance profile
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.11.z
Assignee: Chris Callegari
QA Contact: sheng.lao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-18 11:49 UTC by sheng.lao
Modified: 2019-02-12 21:13 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-12 21:13:00 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description sheng.lao 2018-09-18 11:49:09 UTC
Description of problem:
When I deploying the standalone master with the following variables:
   openshift_aws_create_iam_role: True
   openshift_node_use_instance_profiles: True

and get the following error message:
   "NoCredentialProviders: no valid providers in chain"

So, I check the codes: 
   roles/openshift_node/tasks/config.yml
   roles/openshift_node/tasks/bootstrap.yml

then find that:
- name: include aws provider credentials
  import_tasks: aws.yml
  when: not (openshift_node_use_instance_profiles | default(False))

It means that if we use the instance profile, then we don’t use the credentials.

But the master instances are created without instance profile.

The workaround of this problem is done by adding "instance_profile_name" option to ec2 module in,  roles/openshift_aws/tasks/provision_ec2.yml:
- name: create instance(s)
  ec2:
    instance_profile_name: "{{ l_node_group_config[openshift_aws_node_group.group].iam_role if l_node_group_config[openshift_aws_node_group.group].iam_role is defined and
 l_node_group_config[openshift_aws_node_group.group].iam_role != '' and  openshift_aws_create_iam_role  else omit }}"
   ... ...

Version-Release number of the following components:
# git describe 
openshift-ansible-3.11.0-0.35.0-104-g0d33b82

How reproducible:

Steps to Reproduce:
1. ansible-playbook -i inventory.yml -e @provision_var.yml playbooks/aws/openshift-cluster/provision_install.yml
2.
3.

Actual results:
"Sep 18 11:42:03 xxxxx atomic-openshift-node[16327]: F0917 11:42:03.673100   16327 server.go:233] failed to run Kubelet: could not init cloud provider \"aws\": error finding instance i-xxxxxx: \"error listing AWS instances: \\\"NoCredentialProviders: no valid providers in chain. Deprecated.\\\\n\\\\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors\\\"\""

Expected results:
Deploy standalone master success

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 1 Chris Callegari 2018-09-27 13:12:05 UTC
fixed via https://github.com/openshift/openshift-ansible/pull/10224

Comment 2 sheng.lao 2018-09-28 02:08:17 UTC
The PR-10224 has been merged to 4.0, we have to back-port it to 3.11.z

Comment 3 Scott Dodson 2019-02-12 21:13:00 UTC
This was cherrypicked into release-3.11 here https://github.com/openshift/openshift-ansible/pull/10474/commits
in openshift-ansible-3.11.30-1 and later


Note You need to log in before you can comment on or make changes to this bug.