Currently it's needed to somehow pass credentials for authenticate CCM/CNM component in Azure StackHub platform in order to do their job (looking on vms, attach/detach vms to load balancers and so on) due to no completely functional metadata server and no support of 'managed identity extension' on this platform. However format of secret presented in OCP for azure cloud crenetials does not allow to use it directly for CCM/CNM components due to couple of reasons: - CNM (cloud node manager) not capable to work with secrets at the moment - such secret format not applicable to use with CCM directly (it expect json file in secret, more precisely - part of config in format described in https://kubernetes-sigs.github.io/cloud-provider-azure/install/configs/) During development process credentials for authorizing CCM/CNM in ASH was passed to main cloud-config by installer. For moving effort of onboarding Azure StackHub platform to OCP further this should be fixed and credentials must be moved somewhere rather then store it in cloud-config in plaintext (https://github.com/openshift/installer/pull/5138). Cloud Controller Manager Operator should account this behaviour and be able to handle credentials in a secret which have format common within OCP.
verified clusterversion: 4.9.0-0.nightly-2021-09-07-201519 InitContainer azure-inject-credentials is deployed within CCM/CNM pods, the cluster works well. $ oc edit po azure-cloud-controller-manager-68df68c767-gthj7 -n openshift-cloud-controller-manager initContainers: - args: - --cloud-config-file-path=/tmp/cloud-config/cloud.conf - --output-file-path=/tmp/merged-cloud-config/cloud.conf command: - /azure-config-credentials-injector env: - name: AZURE_CLIENT_ID valueFrom: secretKeyRef: key: azure_client_id name: azure-cloud-credentials - name: AZURE_CLIENT_SECRET valueFrom: secretKeyRef: key: azure_client_secret name: azure-cloud-credentials image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:eb3a5f611a6e3ad9afeac9204b6e0c3e2c007c4373fc4b73b0326525f24e8dfd imagePullPolicy: IfNotPresent name: azure-inject-credentials $ oc edit po azure-cloud-node-manager-4xtdm -n openshift-cloud-controller-manager initContainers: - args: - --cloud-config-file-path=/tmp/cloud-config/cloud.conf - --output-file-path=/tmp/merged-cloud-config/cloud.conf command: - /azure-config-credentials-injector env: - name: AZURE_CLIENT_ID valueFrom: secretKeyRef: key: azure_client_id name: azure-cloud-credentials - name: AZURE_CLIENT_SECRET valueFrom: secretKeyRef: key: azure_client_secret name: azure-cloud-credentials image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:eb3a5f611a6e3ad9afeac9204b6e0c3e2c007c4373fc4b73b0326525f24e8dfd imagePullPolicy: IfNotPresent name: azure-inject-credentials
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759