Bug 1824481 - PVCs can still be provisioned after the password has been changed vSphere
Summary: PVCs can still be provisioned after the password has been changed vSphere
Keywords:
Status: CLOSED DUPLICATE of bug 1821280
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Compute
Version: 4.3.z
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.6.0
Assignee: Danil Grigorev
QA Contact: Jianwei Hou
URL:
Whiteboard:
: 1823782 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-16 09:52 UTC by Alexis Solanas
Modified: 2023-10-06 19:41 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-19 08:41:52 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubernetes kubernetes issues 90844 0 None closed PVCs can still be provisioned after the password has been changed vSphere 2021-02-05 22:23:24 UTC
Github kubernetes kubernetes pull 90836 0 None closed Added ability for vSphere to reconnect on secret update 2021-02-05 22:23:25 UTC

Description Alexis Solanas 2020-04-16 09:52:52 UTC 
Description of problem:

When the password is changed in vSphere for the user that is configured for the OpenShift cluster, storage can still be provisioned despite having a password that is no longer valid. 


Version-Release number of selected component (if applicable):

Client Version: 4.3.9
Server Version: 4.3.9
Kubernetes Version: v1.16.2


How reproducible:

Always

Steps to Reproduce:

1. Deploy an OCP cluster with vSphere integration. Check that dynamically provisioning storage works.
2. Change the user's pasword in vSphere. 
3. Provision a new PVC, it will be created.

Actual results:

 The PVCs are provisioned.

Expected results:

 PVC provisioning should fail with "Cannot complete login due to an incorrect user name or password."

Additional info:

 Even 24 hours after the password change in vSphere, OCP can still provision storage. How long is the session kept open with vSphere after the first successful login?

 Changing the password in the "vsphere-creds" secret does not make any change. You can change it to another password that is not correct, and storage will still be provisioned.

 Manually deleting the kube-apiserver, kube-controller-manager pods openshift, apiserver pods, and controller-manager pods does not make a difference. 

 Only by modifying or re-creating the "cloud-provider-config" triggers the recreation of several pods (79 in my test cluster), and then OpenShift starts using the new credentials in the "vsphere-creds" secret.
Comment 1 Maciej Szulik 2020-04-17 10:21:11 UTC 
Looks like a problem with cloud provider moving to cloud team.
Comment 2 Stephen Cuppett 2020-04-17 12:30:14 UTC 
Setting target release to current development version (4.5) for investigation. Where fixes (if any) are required/requested for prior versions, cloned BZs will be created when appropriate.
Comment 3 Danil Grigorev 2020-05-07 14:12:37 UTC 
*** Bug 1823782 has been marked as a duplicate of this bug. ***
Comment 4 Danil Grigorev 2020-05-07 14:15:18 UTC 
There is a PR out (https://github.com/kubernetes/kubernetes/pull/90836) and an upstream issue to track: https://github.com/kubernetes/kubernetes/issues/90844
Comment 5 Alberto 2020-05-22 07:35:24 UTC 
Moving to 4.6 until the upstream get merged as this is not a blocker.
Comment 6 Alberto 2020-05-29 11:05:45 UTC 
Still needing upstream PR to get merged. Tagging with upcomingSprint
Comment 7 Danil Grigorev 2020-06-19 08:41:52 UTC 
Closing as a duplicate of 1821280, that one got more urgency and a fix is posted for both

*** This bug has been marked as a duplicate of bug 1821280 ***
Note You need to log in before you can comment on or make changes to this bug.