Bug 1867262 - MachineSets in GCP are failing to create Machines in a Shared (XPN) VPC environment
Summary: MachineSets in GCP are failing to create Machines in a Shared (XPN) VPC envir...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Compute
Version: 4.5
Hardware: x86_64
OS: Linux
Target Milestone: ---
: 4.6.0
Assignee: Joel Speed
QA Contact: Milind Yadav
Depends On:
Blocks: 1868751
TreeView+ depends on / blocked
Reported: 2020-08-07 22:41 UTC by Brandon Smitley
Modified: 2021-05-13 02:03 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Added the projectID field to the networkInterfaces Reason: To allow machines to be booted in shared VPCs Result: Machines can now request to be created in a shared VPC
Clone Of:
Last Closed: 2020-10-27 16:26:34 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-api-provider-gcp pull 113 0 None closed BUG 1867262: Support networks shared from a different project 2021-02-18 16:20:09 UTC
Github openshift machine-api-operator pull 679 0 None closed BUG 1867262: Bump GCP provider dependency to include projectID field in NetworkInterface 2021-02-18 16:20:09 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:26:53 UTC

Comment 7 Joel Speed 2020-08-11 14:20:05 UTC
I'm raising a PR to try and fix this issue. Though I will need to do thorough testing before we can merge it due to the timing and nature of this bug.

An unknown for me currently is how the permissions will work for multiple projects, while we may be able to technically support this, we may not be able to leverage components such as the cloud credential operator to bootstrap credentials for Machines using this feature. (Though user provisioned credentials are already supported)

Comment 10 Joel Speed 2020-08-17 11:13:36 UTC
Need to add an extra PR to fix the webhooks, moving to assigned

Comment 12 Milind Yadav 2020-08-18 07:18:28 UTC
VALIDATED ON - 4.6.0-0.nightly-2020-08-18-005041

1. Do an cluster install on GCP using upi-on-gcp/versioned-installer-xpn profile [choose - disable_worker_machineset: "no"]
2. Update machineset with below for network and projectID values based on your env.
          - network: aos-qe-network
            projectID: openshift-qe-shared-vpc
            subnetwork: aos-qe-master-subnet
          projectID: openshift-qe
[you can get these values from the machines in gcp console after installation]
3.Add "Compute Network User" role to service account miyadav-b62--openshift-m-8vq9x@openshift-qe.iam.gserviceaccount.com on the GCP host project mentioned in the template during installation - #host_project: "openshift-qe-shared-vpc"
get the service account name using - oc get credentialsrequests -n openshift-cloud-credential-operator openshift-machine-api-gcp -o json | jq -r '.status.providerStatus.serviceAccountID'

4.Scale the edited machineset 
new machines will be provisioned successfully and nodes are in ready state .
oc get machines -o wide 
miyadav-b62-6nv99-worker-f-mfbgf   Running   n1-standard-4   us-central1   us-central1-f   27m     miyadav-b62-6nv99-worker-f-mfbgf.c.openshift-qe.internal   gce://openshift-qe/us-central1-f/miyadav-b62-6nv99-worker-f-mfbgf   RUNNING

Expected - Machines should be provisioned successfully .

Additional Info:

Comment 16 errata-xmlrpc 2020-10-27 16:26:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.