This bug was initially created as a copy of Bug #1954708 I am copying this bug because: Description of problem (please be detailed as possible and provide log snippests): OCS installation creates Public IPs even with OCP installed as Private cluster on IBM ROKS. Version of all relevant components (if applicable): OCS 4.x Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Yes, public endpoints are not expected on a private cluster Is there any workaround available to the best of your knowledge? Workarounds provided in Bug 1954708 were tried but did not work. Here's update from Shirisha from IBM team: We tried both the workarounds suggested : 1. Annotate the LB However, this wasn't possible as it said Warning CreatingCloudLoadBalancerFailed 3s ibm-cloud-provider Error on cloud load balancer kube-c2jpf1n20k1p2v6es490-9b45719fc38045b4b9d7fc13326614c4 for service openshift-storage/noobaa-mgmt with UID 9b45719f-c380-45b4-b9d7-fc13326614c4: Failed ensuring LoadBalancer: UpdateLoadBalancer failed: The load balancer was created as a public load balancer. This setting can not be changed 2. Create an egress firewall: Couldn't create it as the link provided worked only if openshift SDN was used, but IBM ROKS uses calico SDN. Also, this is only a policy that can be used to control the traffic. Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 2 Can this issue reproducible? Yes. Can this issue reproduce from the UI? Yes. If this is a regression, please provide more details to justify this: No. Actual results: The creation of the Public IPs was unexpected and unwanted in internal clusters. Expected results: Restrict Noobaa from creating any Public resources for Private clusters. Additional info:
Setting 4.9, can clone to 4.8.z if needed
@nbecker Do we need LBs in a private cluster as there is no inbound connectivity. Also, will the fix for this available soon?
Deploy ODF on a cloud ... See that the public endpoint/route was created. Update the yaml to disable public route, delete the public route and see its not re-created
@akgunjal.com Akash, can someone from your team help qualify this on ROKS?
Test Instructions: The fix is about giving a way to change the service from LoadBalancer to ClusterIP If you want to change the service from LoadBalancer to ClusterIP all you need to do is edit the CRD and add `disableLoadBalancerService: true` TL;DR run: `kubectl edit noobaa noobaa` and then ... memory: 500M requests: cpu: 100m memory: 500M dbType: postgres disableLoadBalancerService: true <--------------- Add this endpoints: maxCount: 1 minCount: 1 ... Best Regards, Liran.
Since the fix is not backported to 4.9.0 and is present on 4.10.0, it cannot be tested on ROKS currently
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:1372
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days