Bug 1990975 - ccoctl for IBM does not support not all possible environment variables to pass APIKEY
Summary: ccoctl for IBM does not support not all possible environment variables to pas...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.9
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.9.0
Assignee: Akhil Rane
QA Contact: wang lin
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-06 17:23 UTC by Akhil Rane
Modified: 2021-10-18 17:45 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:45:28 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 365 0 None None None 2021-08-06 17:24:31 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:45:39 UTC

Description Akhil Rane 2021-08-06 17:23:33 UTC
Description of problem:
Currently, ccoctl for ibm supports only "IC_API_KEY" environment variable to pass api key. Customers also use other environment variables like "IBMCLOUD_API_KEY", "BM_API_KEY" and "BLUEMIX_API_KEY" to pass api key. The ccoctl fails to generate valid installer manifests if environment variable other then "IC_API_KEY" is used.


Version-Release number of selected component (if applicable):
4.9.0

How reproducible:
Always

Steps to Reproduce:
1. Set api key with environment variable IBMCLOUD_API_KEY 
2. Run 'ccoctl ibmcloud create-shared-secrets'
3. Newly generated secrets do not have api key 

Actual results:
"IBMCLOUD_API_KEY", "BM_API_KEY" and "BLUEMIX_API_KEY" cannot be used to pass api key to ccoctl, resulting in invalid secret manifests.

Expected results:
"IBMCLOUD_API_KEY", "BM_API_KEY" and "BLUEMIX_API_KEY" can be used to pass api key to ccoctl, resulting in valid secret manifests.


Additional info:

Comment 2 wang lin 2021-08-23 05:04:12 UTC
The issue has verified on 4.9.0-fc.0-x86_64

1. extract ccoctl tool from above image
$export RELEASE_IMAGE=quay.io/openshift-release-dev/ocp-release:4.9.0-fc.0-x86_64
$CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)
$oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a ~/.pull-secret
$chmod +x ccoctl

2. get credentials requests for ibmcloud
$oc adm release extract --credentials-requests --cloud=ibm --to=./credrequests-ibm $RELEASE_IMAGE

3.export ibm cloud apikey environment variables, and run `./ccoctl ibmcloud create-shared-secrets --credentials-requests-dir ./credrequests-ibm`

there are four environment variables IC_API_KEY, IBMCLOUD_API_KEY, BM_API_KEY and BLUEMIX_API_KEY
3.1 no environment variable setting, it will show the below error(correct)
$./ccoctl ibmcloud create-shared-secrets --credentials-requests-dir ./credrequests-ibm
Error: [IC_API_KEY IBMCLOUD_API_KEY BM_API_KEY BLUEMIX_API_KEY] environment variable not set

3.2 only set IC_API_KEY, the key can pass to secret(correct)
$export IC_API_KEY=FSNsXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
$export IBMCLOUD_API_KEY=""
$export BM_API_KEY=""
$export BLUEMIX_API_KEY=""

$./ccoctl ibmcloud create-shared-secrets --credentials-requests-dir ./credrequests-ibm
2021/08/23 12:56:48 Saved credentials configuration to: /home/lwan/ocp-install/ocp49/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
2021/08/23 12:56:48 Saved credentials configuration to: /home/lwan/ocp-install/ocp49/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml
$ cat manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
apiVersion: v1
stringData:
  ibmcloud_api_key: FSNsXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
kind: Secret
metadata:
  name: installer-cloud-credentials
  namespace: openshift-image-registry

3.3 only set IBMCLOUD_API_KEY, the key can pass to secret(correct)
export IC_API_KEY=""
export IBMCLOUD_API_KEY=FSNsXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
export BM_API_KEY=""
export BLUEMIX_API_KEY=""

$./ccoctl ibmcloud create-shared-secrets --credentials-requests-dir ./credrequests-ibm
2021/08/23 12:56:48 Saved credentials configuration to: /home/lwan/ocp-install/ocp49/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
2021/08/23 12:56:48 Saved credentials configuration to: /home/lwan/ocp-install/ocp49/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml
$ cat manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
apiVersion: v1
stringData:
  ibmcloud_api_key: FSNsXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
kind: Secret
metadata:
  name: installer-cloud-credentials
  namespace: openshift-image-registry

3.4 only set BM_API_KEY, the key can pass to secret(correct)

3.5 only set BLUEMIX_API_KEY, the key can pass to secret(correct)

Comment 5 errata-xmlrpc 2021-10-18 17:45:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.