Description of problem: Currently, if CCO is set to passthrough mode for azure, It will be set back to Mint mode by default. How reproducible: 1.Set secret annotation to cloudcredential.openshift.io/mode=passthrough 2. CCO will default to Mint mode Actual results: Secrets always default to Mint Expected results: CCO to preserve passthrough mode if it was specified Additional info: This is directly impacting Azure RedHat OpenShift (ARO)
Proposed solution https://github.com/openshift/cloud-credential-operator/pull/138
Alternate approach PR: https://github.com/openshift/cloud-credential-operator/pull/141 Moving to POST until fix merges.
Testing strategy (from bz 1776990 but should apply to 4.4 as well): 1- this change should not break existing behaviour: An IPI install when run with a service principal which has "Azure Active Directory Graph -> Application.ReadWrite.OwnedBy" permission granted (see https://blog.openshift.com/openshift-4-2-on-azure-preview/) should still succeed. After the cluster is built you should see that as before the CCO has minted additional service principals (e.g. for the image registry), added Contributor permissions on the resource group for them, and that they are being used by the relevant components. The CCO ConfigMap should have the cloudcredential.openshift.io/mode=mint annotation set. 2- new behaviour: a cluster should now be buildable with a service principal which does NOT have the above permission granted: In this case, an IPI cluster should build fine (previously it would have failed) and you should see that the CCO has *not* minted additional service principals. The CCO ConfigMap should have the cloudcredential.openshift.io/mode=passthrough annotation set. Components such as the image registry should be using the service principal with which the cluster was installed.
successfully installed 4.4.0-0.nightly-2019-12-09-221907 using an SP which does not grant Application.ReadWrite.OwnedBy. note that mode setting is in azure-credentials, not the CCO configmap (confirmed by jminter) [m@dhcp145-215 44_azure_install]$ ./oc-44 get secret/azure-credentials -o yaml | grep cloudcredentia cloudcredential.openshift.io/mode: passthrough I'll confirm successfull install and mode set to mint tomorrow with an SP with Application.ReadWrite.OwnedBy granted
Confirmed 4.4 install with an SP with Application.ReadWrite.OwnedBy granted sets mode to mint [m@dhcp145-215 44_azure_install]$ ./oc-44 project kube-system Now using project "kube-system" on server "https://api.mgahagan-111112.qe.azure.devcluster.openshift.com:6443". [m@dhcp145-215 44_azure_install]$ ./oc-44 get secret/azure-credentials -o yaml | grep cloudcredentia cloudcredential.openshift.io/mode: mint
Reassigning to Mangirdas who found and fixed for doc text requirement.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581