Bug 1976674 - CCO didn't set Upgradeable to False when cco mode is configured to Manual on azure platform
Summary: CCO didn't set Upgradeable to False when cco mode is configured to Manual on ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.10.0
Assignee: Nobody
QA Contact: wang lin
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-28 02:04 UTC by wang lin
Modified: 2022-03-10 16:04 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Running OCP on Azure with Manual credentials mode would not set the cluster to upgradeable=False Consequence: Behavior on Azure was different than other platforms. Fix: Mark upgradeable=False when in manual credential mode on Azure. Result: Consistent behavior for the upgradeable flag across platforms.
Clone Of:
Environment:
Last Closed: 2022-03-10 16:04:21 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 387 0 None open Bug 1976674: make azure and ovirt consistent when in manual mode 2021-09-24 14:27:14 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:04:33 UTC

Description wang lin 2021-06-28 02:04:30 UTC
Description of problem:
After this PR [1] merged, cco introduce a system so that any/all platforms will set Upgradeable=False until an annotation has been appllied to CCO's CloudCredential config object when cco is in Manual mode, but we missing azure and ovirt platforms, we always set Upgradeable=True on azure and ovirt, see 
Azure:https://github.com/openshift/cloud-credential-operator/blob/master/pkg/azure/actuator.go#L745-L747
ovirt: https://github.com/openshift/cloud-credential-operator/blob/master/pkg/ovirt/actuator.go#L353-L355 

[1] https://github.com/openshift/cloud-credential-operator/pull/286

Version-Release number of selected component (if applicable):
4.8.0-0.nightly-2021-06-25-182927

How reproducible:
100%

Steps to Reproduce:
1. Launch an ipi on azure
2. change cco mode to Manual
$oc patch cloudcredential cluster --type 'merge' -p '{"spec": {"credentialsMode": "Manual"}}'
3. Check co cloud-credential conditions
$oc get co cloud-credential -o json | jq -r ".status.conditions"

Actual results:
Upgradeable=True
$ oc get co cloud-credential -o json | jq -r ".status.conditions"
[
  {
    "lastTransitionTime": "2021-06-25T10:21:25Z",
    "message": "Credential minting is disabled by cluster admin",
    "reason": "OperatorDisabledByAdmin",
    "status": "True",
    "type": "Available"
  },
  {
    "lastTransitionTime": "2021-06-25T07:47:36Z",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2021-06-25T07:53:33Z",
    "status": "False",
    "type": "Progressing"
  },
  {
    "lastTransitionTime": "2021-06-25T07:47:36Z",
    "status": "True",
    "type": "Upgradeable"
  }
]

Expected results:
Upgradeable=False

Additional info:

Comment 5 wang lin 2021-09-27 07:20:35 UTC
Verified on 4.10.0-0.ci-2021-09-26-200812

1. Launch an ipi on azure
2. change cco mode to Manual
$oc patch cloudcredential cluster --type 'merge' -p '{"spec": {"credentialsMode": "Manual"}}'
3. Check co cloud-credential conditions
$ oc get co cloud-credential -o json | jq -r ".status.conditions[]"
{
  "lastTransitionTime": "2021-09-27T07:13:09Z",
  "message": "Credential minting is disabled by cluster admin",
  "reason": "OperatorDisabledByAdmin",
  "status": "True",
  "type": "Available"
}
{
  "lastTransitionTime": "2021-09-27T01:53:30Z",
  "status": "False",
  "type": "Degraded"
}
{
  "lastTransitionTime": "2021-09-27T02:05:01Z",
  "status": "False",
  "type": "Progressing"
}
{
  "lastTransitionTime": "2021-09-27T07:16:12Z",
  "message": "Upgradeable annotation cloudcredential.openshift.io/upgradeable-to on cloudcredential.operator.openshift.io/cluster object needs updating before upgrade. See Manually Creating IAM documentation for instructions on preparing a cluster for upgrade.",
  "reason": "MissingUpgradeableAnnotation",
  "status": "False",
  "type": "Upgradeable"
}
4. patch annotation, it will be cleared
$ oc patch cloudcredential cluster --type 'merge' -p '{"metadata": {"annotations": {"cloudcredential.openshift.io/upgradeable-to": "4.11.0"}}}'
cloudcredential.operator.openshift.io/cluster patched

$ oc get co cloud-credential -o json | jq -r ".status.conditions[]"
{
  "lastTransitionTime": "2021-09-27T07:13:09Z",
  "message": "Credential minting is disabled by cluster admin",
  "reason": "OperatorDisabledByAdmin",
  "status": "True",
  "type": "Available"
}
{
  "lastTransitionTime": "2021-09-27T01:53:30Z",
  "status": "False",
  "type": "Degraded"
}
{
  "lastTransitionTime": "2021-09-27T02:05:01Z",
  "status": "False",
  "type": "Progressing"
}
{
  "lastTransitionTime": "2021-09-27T07:15:55Z",
  "status": "True",
  "type": "Upgradeable"
}

Comment 9 errata-xmlrpc 2022-03-10 16:04:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.