+++ This bug was initially created as a clone of Bug #1776980 +++ Description of problem: Currently, if CCO is set to passthrough mode for azure, It will be set back to Mint mode by default. How reproducible: 1.Set secret annotation to cloudcredential.openshift.io/mode=passthrough 2. CCO will default to Mint mode Actual results: Secrets always default to Mint Expected results: CCO to preserve passthrough mode if it was specified Additional info: This is directly impacting Azure RedHat OpenShift (ARO)
Testing strategy: 1- this change should not break existing behaviour: An IPI install when run with a service principal which has "Azure Active Directory Graph -> Application.ReadWrite.OwnedBy" permission granted (see https://blog.openshift.com/openshift-4-2-on-azure-preview/) should still succeed. After the cluster is built you should see that as before the CCO has minted additional service principals (e.g. for the image registry), added Contributor permissions on the resource group for them, and that they are being used by the relevant components. The CCO ConfigMap should have the cloudcredential.openshift.io/mode=mint annotation set. 2- new behaviour: a cluster should now be buildable with a service principal which does NOT have the above permission granted: In this case, an IPI cluster should build fine (previously it would have failed) and you should see that the CCO has *not* minted additional service principals. The CCO ConfigMap should have the cloudcredential.openshift.io/mode=passthrough annotation set. Components such as the image registry should be using the service principal with which the cluster was installed.
Confirmed I can install a working 4.3 cluster using a service principal which does not have Application.ReadWrite.OwnedBy granted. (openshift-install-linux-4.3.0-0.nightly-2019-12-06-014514)
the mode setting is in the azure-credentials secret, not the CCO configmap (per jminter) Cluster with SP with no Application.ReadWrite.OwnedBy permission: [m@localhost 43_azure_install]$ oc-43 get secret/azure-credentials -o yaml | grep cloudcredentia cloudcredential.openshift.io/mode: passthrough Cluster with SP with Application.ReadWrite.OwnedBy permission: [m@localhost auth]$ oc-43 get secret/azure-credentials -o yaml | grep cloudcredenti cloudcredential.openshift.io/mode: mint Marking verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0062