Bug 1910372 - Passthrough credentials are not immediately re-distributed on update
Summary: Passthrough credentials are not immediately re-distributed on update
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.z
Assignee: Akhil Rane
QA Contact: wang lin
Depends On: 1899515
TreeView+ depends on / blocked
Reported: 2020-12-23 16:02 UTC by Akhil Rane
Modified: 2023-09-15 00:56 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1899515
Last Closed: 2021-02-22 13:54:32 UTC
Target Upstream Version:
arane: needinfo+

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 279 0 None closed Bug 1910372: Backport redistribute new root creds in passthrough mode 2021-02-16 07:57:03 UTC
Red Hat Product Errata RHBA-2021:0510 0 None None None 2021-02-22 13:54:47 UTC

Comment 1 Nick Stielau 2021-02-03 19:24:50 UTC
I don't think this is a blocker, but want team's input.

Comment 2 Joel Diaz 2021-02-03 20:57:48 UTC
A blocker in what way? For 4.6?

Comment 8 wang lin 2021-02-18 11:26:11 UTC
Verified on 4.6.0-0.nightly-2021-02-17-215814 

For aws/gcp/azure/vsphere/openstack, when installing a cluster with secret only have passthrough peromissions(in other words, cco is in passthrough mode). after installation, updating root cred to another one(only have passthrough permission too), cco will immediately update all those related secrets.

Hi, Akhil
there is a situation, if cco is in mint mode in the beginning, then updating root creds to the one only have passthrough permission, cco will verify the root secret and set annotation to passthrough mode in root sectet CR , like "cloudcredential.openshift.io/mode": "passthrough", but in this situation, if I update root creds to another one which only have passthrough permission too, it will not follow this logic,cco will not  update those related secrets

Do we need to cover this situation, or do we need to document that this is not supported? the cco definitely is in passthrough mode now, but it can't immediately update those related secrets if in this situation.

Comment 9 wang lin 2021-02-19 01:18:30 UTC
I have asked Devan this question before, His suggestion is that we don't need to consider this situation at this time , I awlays feel that this is a possible scenario,  if we need cover this scenario later, will file a new bug to track.  Move this bug to Verified first.


Comment 11 errata-xmlrpc 2021-02-22 13:54:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.18 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 12 Red Hat Bugzilla 2023-09-15 00:56:39 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.