Bug 1880896 - cacert file path generated by CCO is not correct for SSC OSP16 cluster
Summary: cacert file path generated by CCO is not correct for SSC OSP16 cluster
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.0
Assignee: Mike Fedosin
QA Contact: weiwei jiang
Depends On:
TreeView+ depends on / blocked
Reported: 2020-09-21 03:11 UTC by Qin Ping
Modified: 2020-10-27 16:43 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-10-27 16:42:58 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift csi-driver-manila-operator pull 64 0 None closed Bug 1880896: Replace cert authority path from clouds.yaml 2020-10-09 03:04:02 UTC
Github openshift installer pull 4227 0 None closed Bug 1884558: do not use local cacert path in generated clouds.yaml 2020-10-09 03:04:11 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:43:22 UTC

Description Qin Ping 2020-09-21 03:11:13 UTC
Description of Problem:
cacert file path generated by CCO is not correct for SSC OSP16 cluster

Version-Release number of selected component (if applicable):

How Reproducible:

Steps to Reproduce:
1. Install an OCP4.6 cluster on a SSC OSP16 cluster
2. Check the secret created by CCO

Actual Results:
]$ oc get credentialsrequests.cloudcredential.openshift.io  manila-csi-driver-operator -n openshift-cloud-credential-operator -o json|jq .spec
  "providerSpec": {
    "apiVersion": "cloudcredential.openshift.io/v1",
    "kind": "OpenStackProviderSpec"
  "secretRef": {
    "name": "manila-cloud-credentials",
    "namespace": "openshift-cluster-csi-drivers"

$ oc get secret manila-cloud-credentials -n openshift-cluster-csi-drivers -ojson| jq .data
  "clouds.yaml": "BASE64 encode string"

$ echo BASE64 encode string|base64 -d
      auth_url: XXXXXX
      password: XXXX
      project_id: 86cb1a7c2dd04e1ea26087255744db1b
      project_name: shiftstack
      user_domain_name: Default
      username: shiftstack_user
    cacert: /home/jenkins/workspace/Launch Environment Flexy/workdir/cacert.crt.20200918-419-1lzytgo
    endpoint_type: public
    identity_api_version: "3"
    region_name: regionOne
    verify: true

When creating a manila share PVC, PV provisioned failed for:
Warning  ProvisioningFailed    <invalid> (x7 over <invalid>)   manila.csi.openstack.org_openstack-manila-csi-controllerplugin-59c6c8cc4-rvbx6_9f013ff7-88c6-47d8-bf30-b868a57db2a7  failed to provision volume with StorageClass "csi-manila-nfs": rpc error: code = Unauthenticated desc = failed to create Manila v2 client: failed to authenticate: failed to read and parse /home/jenkins/workspace/Launch Environment Flexy/workdir/cacert.crt.20200918-419-1lzytgo certificate: open /home/jenkins/workspace/Launch Environment Flexy/workdir/cacert.crt.20200918-419-1lzytgo: no such file or directory

Expected Results:
cacert file path is a valid file path

Additional Info:

Comment 3 Qin Ping 2020-09-28 08:04:07 UTC
Checked with: 4.6.0-0.nightly-2020-09-27-075304

Now the manila csi driver controller does not use the wrong profile, PV can be provisioned successfully.

So, I'll remove the testblocker keyword, and update the priority and severity.

But keep the cacert "/home/jenkins/workspace/Launch Environment Flexy/workdir/cacert.crt.20200918-419-1lzytgo" in manila-could-credentials secret is still a little wired, so I'll assign this bug back.

Comment 4 Martin André 2020-10-02 09:59:13 UTC
Moving back to ON_QA as the original defect was closed already by https://github.com/openshift/csi-driver-manila-operator/pull/64.

I'm creating a new BZ, targeted at 4.7, for the issue that was later reported about the confusing path in manila-could-credentials secret.

Comment 5 Martin André 2020-10-02 10:04:44 UTC
Here is the new BZ for the path issue in generated file: https://bugzilla.redhat.com/show_bug.cgi?id=1884558

Comment 9 errata-xmlrpc 2020-10-27 16:42:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.