Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1993087

Summary: Azure StackHub: cluster-cloud-controller-manager-operator / azure-cloud-controller-manager / azure-cloud-node-manager does not support OCP azure credentials secret format
Product: OpenShift Container Platform Reporter: dmoiseev
Component: Cloud ComputeAssignee: dmoiseev
Cloud Compute sub component: Cloud Controller Manager QA Contact: sunzhaohua <zhsun>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: aos-bugs
Version: 4.9   
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:46:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dmoiseev 2021-08-12 11:28:32 UTC 
Currently it's needed to somehow pass credentials for authenticate CCM/CNM component in Azure StackHub platform in order to do their job (looking on vms, attach/detach vms to load balancers and so on) due to no completely functional metadata server and no support of 'managed identity extension' on this platform.

However format of secret presented in OCP for azure cloud crenetials does not allow to use it directly for CCM/CNM components due to couple of reasons:

- CNM (cloud node manager) not capable to work with secrets at the moment
- such secret format not applicable to use with CCM directly (it expect json file in secret, more precisely - part of config in format described in https://kubernetes-sigs.github.io/cloud-provider-azure/install/configs/)


During development process credentials for authorizing CCM/CNM in ASH was passed to main cloud-config by installer. For moving effort of onboarding Azure StackHub platform to OCP further this should be fixed and credentials must be moved somewhere rather then store it in cloud-config in plaintext (https://github.com/openshift/installer/pull/5138). Cloud Controller Manager Operator should account this behaviour and be able to handle credentials in a secret which have format common within OCP.
Comment 3 sunzhaohua 2021-09-09 08:50:07 UTC 
verified
clusterversion: 4.9.0-0.nightly-2021-09-07-201519

InitContainer azure-inject-credentials is deployed within CCM/CNM pods, the cluster works well.
$ oc edit po azure-cloud-controller-manager-68df68c767-gthj7 -n openshift-cloud-controller-manager
 initContainers:
  - args:
    - --cloud-config-file-path=/tmp/cloud-config/cloud.conf
    - --output-file-path=/tmp/merged-cloud-config/cloud.conf
    command:
    - /azure-config-credentials-injector
    env:
    - name: AZURE_CLIENT_ID
      valueFrom:
        secretKeyRef:
          key: azure_client_id
          name: azure-cloud-credentials
    - name: AZURE_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          key: azure_client_secret
          name: azure-cloud-credentials
    image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:eb3a5f611a6e3ad9afeac9204b6e0c3e2c007c4373fc4b73b0326525f24e8dfd
    imagePullPolicy: IfNotPresent
    name: azure-inject-credentials

$ oc edit po azure-cloud-node-manager-4xtdm  -n openshift-cloud-controller-manager
  initContainers:
  - args:
    - --cloud-config-file-path=/tmp/cloud-config/cloud.conf
    - --output-file-path=/tmp/merged-cloud-config/cloud.conf
    command:
    - /azure-config-credentials-injector
    env:
    - name: AZURE_CLIENT_ID
      valueFrom:
        secretKeyRef:
          key: azure_client_id
          name: azure-cloud-credentials
    - name: AZURE_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          key: azure_client_secret
          name: azure-cloud-credentials
    image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:eb3a5f611a6e3ad9afeac9204b6e0c3e2c007c4373fc4b73b0326525f24e8dfd
    imagePullPolicy: IfNotPresent
    name: azure-inject-credentials
Comment 5 errata-xmlrpc 2021-10-18 17:46:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759