Bug 1898045 - AWS EBS CSI Driver can not get updated cloud credential secret automatically
Summary: AWS EBS CSI Driver can not get updated cloud credential secret automatically
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 4.7
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.7.0
Assignee: Fabio Bertinatto
QA Contact: Qin Ping
URL:
Whiteboard:
Depends On:
Blocks: 1915467
TreeView+ depends on / blocked
 
Reported: 2020-11-16 09:12 UTC by Qin Ping
Modified: 2021-02-24 15:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1915467 (view as bug list)
Environment:
Last Closed: 2021-02-24 15:33:27 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift aws-ebs-csi-driver-operator pull 104 0 None closed Bug 1898045: redeploy CSI Controller Deployment when secret changes 2021-02-18 16:01:24 UTC
Github openshift aws-ebs-csi-driver-operator pull 107 0 None closed Bug 1898045: redeploy CSI Controller Deployment when secret changes 2021-02-18 16:01:24 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:33:55 UTC

Description Qin Ping 2020-11-16 09:12:34 UTC 
Description of Problem:
AWS EBS CSI Driver can not get updated cloud credential secret automatically

Version-Release number of selected component (if applicable):
4.7.0-0.nightly-2020-11-12-200927

How Reproducible:
Always

Steps to Reproduce:
1. Setup an OCP cluster on AWS.
2. Update the `kube-system/aws-creds` secret object with a new aws_access_key_id and aws_secret_access_key pair
3. Check the cloud credential secret `openshift-cluster-csi-drivers/ebs-cloud-credentials`, it's updated.
4. Delete the old aws_access_key_id/aws_secret_access_key from the AWS web console
5. Create a PVC with gp2-csi storageclass

Actual Results:
Failed to provision PV.
Warning  ProvisioningFailed    <invalid>                ebs.csi.aws.com_ip-10-0-223-16_ab24404a-1e71-423f-b752-8a9aa8f98797  failed to provision volume with StorageClass "gp2-csi": rpc error: code = Internal desc = AuthFailure: AWS was not able to validate the provided access credentials
           status code: 401, request id: 68bd3337-968c-4c09-8d20-a8f29b17a166

Restart `aws-ebs-csi-driver-controller` pod, privisioned PV successfully.

But volume attach still failed.
I1116 08:58:16.960359       1 csi_handler.go:250] Failed to save attach error to "csi-539ab4fd32fc865739277a7fed3be2e92eb90187b2a3f5af9e722f81282d4f81": VolumeAttachment.storage.k8s.io "csi-539ab4fd32fc865739277a7fed3be2e92eb90187b2a3f5af9e722f81282d4f81" is invalid: status.attachError.message: Too long: must have at most 262144 bytes
I1116 08:58:16.960385       1 csi_handler.go:226] Error processing "csi-539ab4fd32fc865739277a7fed3be2e92eb90187b2a3f5af9e722f81282d4f81": failed to attach: rpc error: code = Internal desc = Could not attach volume "vol-0c0ee416e986e8377" to node "i-0e06acfd4ec62b78c": could not attach volume "vol-0c0ee416e986e8377" to node "i-0e06acfd4ec62b78c": UnauthorizedOperation: 

Expected Results:
After the cloud credential secret is updated, aws ebs csi driver still can work well.
Comment 1 Jan Safranek 2020-11-20 13:45:09 UTC 
What I noticed other operators to do (e.g. openshift-apiserver-operator), they hash the secret content into the operand Deployment / DaemonSet pod annotations:
 
    template:
      metadata:
        annotations:
          operator.openshift.io/dep-openshift-apiserver.config.configmap: TsndwQ==
          operator.openshift.io/dep-openshift-apiserver.etcd-client.secret: XX2UTw==
          operator.openshift.io/dep-openshift-apiserver.etcd-serving-ca.configmap: 3uGrWw==
          ...

Whenever a Secret / ConfigMap changes, the operator will calculate a new hash and update the Deployment, which triggers redeployment (i.e. restart) of all pods. There should be some support for it in library-go.
Comment 10 Qin Ping 2021-01-18 09:13:57 UTC 
Verified with: 4.7.0-0.nightly-2021-01-17-211555
Comment 13 errata-xmlrpc 2021-02-24 15:33:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633
Note You need to log in before you can comment on or make changes to this bug.