Description of problem: Currently, ccoctl for ibm supports only "IC_API_KEY" environment variable to pass api key. Customers also use other environment variables like "IBMCLOUD_API_KEY", "BM_API_KEY" and "BLUEMIX_API_KEY" to pass api key. The ccoctl fails to generate valid installer manifests if environment variable other then "IC_API_KEY" is used. Version-Release number of selected component (if applicable): 4.9.0 How reproducible: Always Steps to Reproduce: 1. Set api key with environment variable IBMCLOUD_API_KEY 2. Run 'ccoctl ibmcloud create-shared-secrets' 3. Newly generated secrets do not have api key Actual results: "IBMCLOUD_API_KEY", "BM_API_KEY" and "BLUEMIX_API_KEY" cannot be used to pass api key to ccoctl, resulting in invalid secret manifests. Expected results: "IBMCLOUD_API_KEY", "BM_API_KEY" and "BLUEMIX_API_KEY" can be used to pass api key to ccoctl, resulting in valid secret manifests. Additional info:
The issue has verified on 4.9.0-fc.0-x86_64 1. extract ccoctl tool from above image $export RELEASE_IMAGE=quay.io/openshift-release-dev/ocp-release:4.9.0-fc.0-x86_64 $CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret) $oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a ~/.pull-secret $chmod +x ccoctl 2. get credentials requests for ibmcloud $oc adm release extract --credentials-requests --cloud=ibm --to=./credrequests-ibm $RELEASE_IMAGE 3.export ibm cloud apikey environment variables, and run `./ccoctl ibmcloud create-shared-secrets --credentials-requests-dir ./credrequests-ibm` there are four environment variables IC_API_KEY, IBMCLOUD_API_KEY, BM_API_KEY and BLUEMIX_API_KEY 3.1 no environment variable setting, it will show the below error(correct) $./ccoctl ibmcloud create-shared-secrets --credentials-requests-dir ./credrequests-ibm Error: [IC_API_KEY IBMCLOUD_API_KEY BM_API_KEY BLUEMIX_API_KEY] environment variable not set 3.2 only set IC_API_KEY, the key can pass to secret(correct) $export IC_API_KEY=FSNsXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX $export IBMCLOUD_API_KEY="" $export BM_API_KEY="" $export BLUEMIX_API_KEY="" $./ccoctl ibmcloud create-shared-secrets --credentials-requests-dir ./credrequests-ibm 2021/08/23 12:56:48 Saved credentials configuration to: /home/lwan/ocp-install/ocp49/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml 2021/08/23 12:56:48 Saved credentials configuration to: /home/lwan/ocp-install/ocp49/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml $ cat manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml apiVersion: v1 stringData: ibmcloud_api_key: FSNsXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX kind: Secret metadata: name: installer-cloud-credentials namespace: openshift-image-registry 3.3 only set IBMCLOUD_API_KEY, the key can pass to secret(correct) export IC_API_KEY="" export IBMCLOUD_API_KEY=FSNsXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX export BM_API_KEY="" export BLUEMIX_API_KEY="" $./ccoctl ibmcloud create-shared-secrets --credentials-requests-dir ./credrequests-ibm 2021/08/23 12:56:48 Saved credentials configuration to: /home/lwan/ocp-install/ocp49/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml 2021/08/23 12:56:48 Saved credentials configuration to: /home/lwan/ocp-install/ocp49/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml $ cat manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml apiVersion: v1 stringData: ibmcloud_api_key: FSNsXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX kind: Secret metadata: name: installer-cloud-credentials namespace: openshift-image-registry 3.4 only set BM_API_KEY, the key can pass to secret(correct) 3.5 only set BLUEMIX_API_KEY, the key can pass to secret(correct)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759