Bug 1776980 - CCO fallbacks to Mint mode on Azure
Summary: CCO fallbacks to Mint mode on Azure
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.4.0
Assignee: Mangirdas Judeikis
QA Contact: Xiaoli Tian
Depends On:
Blocks: 1776990
TreeView+ depends on / blocked
Reported: 2019-11-26 16:41 UTC by Mangirdas Judeikis
Modified: 2020-05-13 21:53 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1776990 (view as bug list)
Last Closed: 2020-05-13 21:53:19 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-13 21:53:21 UTC

Description Mangirdas Judeikis 2019-11-26 16:41:23 UTC
Description of problem:

Currently, if CCO is set to passthrough mode for azure,
It will be set back to Mint mode by default. 

How reproducible:
1.Set secret annotation to 
2. CCO will default to Mint mode

Actual results:

Secrets always default to Mint

Expected results:

CCO to preserve passthrough mode if it was specified

Additional info:

This is directly impacting Azure RedHat OpenShift (ARO)

Comment 1 Mangirdas Judeikis 2019-11-26 16:47:06 UTC
Proposed solution https://github.com/openshift/cloud-credential-operator/pull/138

Comment 2 Devan Goodwin 2019-11-28 12:22:23 UTC
Alternate approach PR: https://github.com/openshift/cloud-credential-operator/pull/141

Moving to POST until fix merges.

Comment 4 Mike Gahagan 2019-12-10 15:52:58 UTC
Testing strategy (from bz 1776990 but should apply to 4.4 as well): 

1- this change should not break existing behaviour:

An IPI install when run with a service principal which has "Azure Active Directory Graph -> Application.ReadWrite.OwnedBy" permission granted (see https://blog.openshift.com/openshift-4-2-on-azure-preview/) should still succeed.  After the cluster is built you should see that as before the CCO has minted additional service principals (e.g. for the image registry), added Contributor permissions on the resource group for them, and that they are being used by the relevant components.  The CCO ConfigMap should have the cloudcredential.openshift.io/mode=mint annotation set.

2- new behaviour: a cluster should now be buildable with a service principal which does NOT have the above permission granted:

In this case, an IPI cluster should build fine (previously it would have failed) and you should see that the CCO has *not* minted additional service principals.  The CCO ConfigMap should have the cloudcredential.openshift.io/mode=passthrough annotation set.  Components such as the image registry should be using the service principal with which the cluster was installed.

Comment 5 Mike Gahagan 2019-12-10 21:27:58 UTC
successfully installed 4.4.0-0.nightly-2019-12-09-221907 using an SP which does not grant Application.ReadWrite.OwnedBy.

note that mode setting is in azure-credentials, not the CCO configmap (confirmed by jminter)
[m@dhcp145-215 44_azure_install]$ ./oc-44 get secret/azure-credentials -o yaml | grep cloudcredentia
    cloudcredential.openshift.io/mode: passthrough

I'll confirm successfull install and mode set to mint tomorrow with an SP with Application.ReadWrite.OwnedBy granted

Comment 6 Mike Gahagan 2019-12-11 19:11:45 UTC
Confirmed 4.4 install with an SP with Application.ReadWrite.OwnedBy granted sets mode to mint

[m@dhcp145-215 44_azure_install]$ ./oc-44 project kube-system
Now using project "kube-system" on server "https://api.mgahagan-111112.qe.azure.devcluster.openshift.com:6443".
[m@dhcp145-215 44_azure_install]$ ./oc-44 get secret/azure-credentials -o yaml | grep cloudcredentia
    cloudcredential.openshift.io/mode: mint

Comment 8 Devan Goodwin 2020-04-29 12:09:24 UTC
Reassigning to Mangirdas who found and fixed for doc text requirement.

Comment 10 errata-xmlrpc 2020-05-13 21:53:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.