1910372 – Passthrough credentials are not immediately re-distributed on update

Bug 1910372 - Passthrough credentials are not immediately re-distributed on update

Summary: Passthrough credentials are not immediately re-distributed on update

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Cloud Credential Operator
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.6.z
Assignee:	Akhil Rane
QA Contact:	wang lin
Docs Contact:
URL:
Whiteboard:
Depends On:	1899515
Blocks:
TreeView+	depends on / blocked

Reported:	2020-12-23 16:02 UTC by Akhil Rane
Modified:	2021-03-16 16:35 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1899515
Environment:
Last Closed:	2021-02-22 13:54:32 UTC
Target Upstream Version:
Flags:	arane: needinfo? (dgoodwin) arane: needinfo+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cloud-credential-operator pull 279	0	None	closed	Bug 1910372: Backport redistribute new root creds in passthrough mode	2021-02-16 07:57:03 UTC
Red Hat Product Errata	RHBA-2021:0510	0	None	None	None	2021-02-22 13:54:47 UTC

Comment 1 Nick Stielau 2021-02-03 19:24:50 UTC

I don't think this is a blocker, but want team's input.

Comment 2 Joel Diaz 2021-02-03 20:57:48 UTC

A blocker in what way? For 4.6?

Comment 8 wang lin 2021-02-18 11:26:11 UTC

Verified on 4.6.0-0.nightly-2021-02-17-215814 

For aws/gcp/azure/vsphere/openstack, when installing a cluster with secret only have passthrough peromissions(in other words, cco is in passthrough mode). after installation, updating root cred to another one(only have passthrough permission too), cco will immediately update all those related secrets.


Hi, Akhil
there is a situation, if cco is in mint mode in the beginning, then updating root creds to the one only have passthrough permission, cco will verify the root secret and set annotation to passthrough mode in root sectet CR , like "cloudcredential.openshift.io/mode": "passthrough", but in this situation, if I update root creds to another one which only have passthrough permission too, it will not follow this logic,cco will not  update those related secrets

Do we need to cover this situation, or do we need to document that this is not supported? the cco definitely is in passthrough mode now, but it can't immediately update those related secrets if in this situation.

Comment 9 wang lin 2021-02-19 01:18:30 UTC

I have asked Devan this question before, His suggestion is that we don't need to consider this situation at this time , I awlays feel that this is a possible scenario,  if we need cover this scenario later, will file a new bug to track.  Move this bug to Verified first.

https://issues.redhat.com/browse/HIVE-1286?focusedCommentId=15507308&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-15507308

Comment 11 errata-xmlrpc 2021-02-22 13:54:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.18 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0510

Note You need to log in before you can comment on or make changes to this bug.