Bug 1916454 - teach CCO about upgradeability from 4.6 to 4.7
Summary: teach CCO about upgradeability from 4.6 to 4.7
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.7
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.7.0
Assignee: Joel Diaz
QA Contact: wang lin
URL:
Whiteboard:
Depends On:
Blocks: 1916868
TreeView+ depends on / blocked
 
Reported: 2021-01-14 19:48 UTC by Joel Diaz
Modified: 2021-02-24 15:53 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1916868 (view as bug list)
Environment:
Last Closed: 2021-02-24 15:53:18 UTC
Target Upstream Version:
Embargoed:
lwan: needinfo-


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 280 0 None closed Bug 1916454: checking 4.7 creds 2021-02-18 12:27:15 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:53:39 UTC

Description Joel Diaz 2021-01-14 19:48:52 UTC
Description of problem:
There are known new CredentialsRequests when upgrading from 4.6 to 4.7. Update the Upgradeable calculation that CCO performs to watch for these Secrets when CCO is in Manual mode (where the cluster admin is responsible for creating the Secrets).

Comment 2 wang lin 2021-01-18 09:16:38 UTC
Verified on 4.7.0-0.nightly-2021-01-17-211555

1. install cluster on gcp with cco in Manual,
2. delete secret openshift-cluster-csi-drivers/gcp-pd-cloud-credentials, openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
3. check .status.conditions of co cloud-credential
$ oc get co cloud-credential -o json | jq -r ".status.conditions"
[
  {
    "lastTransitionTime": "2021-01-18T07:32:00Z",
    "message": "Credential minting is disabled by cluster admin",
    "reason": "OperatorDisabledByAdmin",
    "status": "True",
    "type": "Available"
  },
  {
    "lastTransitionTime": "2021-01-18T06:44:49Z",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2021-01-18T06:59:22Z",
    "status": "False",
    "type": "Progressing"
  },
  {
    "lastTransitionTime": "2021-01-18T08:20:20Z",
    "message": "Cannot upgrade manual mode cluster to 4.7 due to missing secret(s): [openshift-cluster-csi-drivers/gcp-pd-cloud-credentials openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds] Please see Manualy Creating IAM documentation for the cluster's platform.",
    "reason": "ManualModeMissingSecrets",
    "status": "False",
    "type": "Upgradeable"
  }
]

4. recreate secret openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds again, check .status.conditions of co cloud-credential
$ oc get co cloud-credential -o json | jq -r ".status.conditions"
[
  {
    "lastTransitionTime": "2021-01-18T07:32:00Z",
    "message": "Credential minting is disabled by cluster admin",
    "reason": "OperatorDisabledByAdmin",
    "status": "True",
    "type": "Available"
  },
  {
    "lastTransitionTime": "2021-01-18T06:44:49Z",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2021-01-18T06:59:22Z",
    "status": "False",
    "type": "Progressing"
  },
  {
    "lastTransitionTime": "2021-01-18T08:21:50Z",
    "message": "Cannot upgrade manual mode cluster to 4.7 due to missing secret(s): [openshift-cluster-csi-drivers/gcp-pd-cloud-credentials] Please see Manualy Creating IAM documentation for the cluster's platform.",
    "reason": "ManualModeMissingSecrets",
    "status": "False",
    "type": "Upgradeable"
  }
]
5. recreate secret openshift-cluster-csi-drivers/gcp-pd-cloud-credentials again, check .status.conditions of co cloud-credential, Upgradeable=Ture.
 oc get co cloud-credential -o json | jq -r ".status.conditions"
[
  {
    "lastTransitionTime": "2021-01-18T07:32:00Z",
    "message": "Credential minting is disabled by cluster admin",
    "reason": "OperatorDisabledByAdmin",
    "status": "True",
    "type": "Available"
  },
  {
    "lastTransitionTime": "2021-01-18T06:44:49Z",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2021-01-18T06:59:22Z",
    "status": "False",
    "type": "Progressing"
  },
  {
    "lastTransitionTime": "2021-01-18T08:22:24Z",
    "status": "True",
    "type": "Upgradeable"
  }
]

######
Hi,Joel cco supported mode in openstack and vsphere is Passthrough, I saw the codes are still including openstack and vsphere platform, do we need to test Manual mode for openstack and vsphere.

Comment 3 wang lin 2021-01-22 03:11:34 UTC
don't need to test Manual mode for openstack and vsphere at current, installer will prevent the users setting cco to Manual mode.

Comment 6 errata-xmlrpc 2021-02-24 15:53:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.