Bug 1998432 - Unable to use application credentials for Cinder / Swift volumes when installing on OpenStack
Summary: Unable to use application credentials for Cinder / Swift volumes when install...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.8
Hardware: All
OS: Unspecified
medium
low
Target Milestone: ---
: 4.11.0
Assignee: Pierre Prinetti
QA Contact: Udi Shkalim
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-27 07:50 UTC by Emmanuel Kasper
Modified: 2022-03-23 09:53 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: cluster-image-registry's swift integration did not work with application credentials Consequence: Tech preview installations with External Cloud Providewr, relying on Application credentials, could not properly deploy Fix: with this change, cluster-image-registry's swift integration works with application credentials Result: Tech preview installations with External Cloud Providewr, relying on Application credentials, can now deploy, although they can't have Load Balancer integration.
Clone Of:
Environment:
Last Closed: 2022-03-23 09:53:42 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-image-registry-operator pull 686 0 None Merged Bug 1998432: Support Swift authentication using application credentials 2022-03-23 09:52:15 UTC

Description Emmanuel Kasper 2021-08-27 07:50:45 UTC
What problem/issue/behavior are you having trouble with?  What do you expect to see?
While trying to install an OCP 4 cluster on openstack with application credentials, the cluster itself works fine, but it is not possible to provision volumes on cinder, getting an error similar to:

Failed to provision volume with StorageClass "standard": unable to initialize cinder client for region: regionOne, err: cloud provider is not initialized: cannot initialize cloud provider using data from the secret: You must provide a password to authenticate.

The issue is mentioned by the following KB article: https://access.redhat.com/solutions/6020241

Comment 2 Pierre Prinetti 2021-08-27 08:22:21 UTC
Thank you for reporting. We plan on tackling this during the 4.10 release cycle.

See also https://issues.redhat.com/browse/OSASINFRA-1934

Comment 3 Bram Verschueren 2021-09-02 13:48:58 UTC
If I'm not mistaken the problem is that the image-registry-operator verifies whether swift is available (https://github.com/openshift/cluster-image-registry-operator/blob/48485bb2206c8829b7b07904e3585816ed39485f/pkg/storage/storage.go#L162) which fails when used with application credentials (see https://bugzilla.redhat.com/show_bug.cgi?id=1991826) so it falls back to using cinder-based PVC's. The default storageClass however is the in-tree (non-CSI) cinder plugin which does not consider application credentials (https://github.com/kubernetes/kubernetes/blob/2a88664eccdf02cd01777b48171873a028117737/staging/src/k8s.io/legacy-cloud-providers/openstack/openstack.go#L158-L173) causing gophercloud to error out (https://github.com/gophercloud/gophercloud/blob/513734676e6495f6fec60e7aaf1f86f1ce807428/auth_options.go#L201-L285).

Comment 6 ShiftStack Bugwatcher 2021-11-25 16:12:16 UTC
Removing the Triaged keyword because:

* the QE automation assessment (flag qe_test_coverage) is missing

Comment 8 Martin André 2021-12-20 15:17:17 UTC
Hello, let me try to summarize the situation and provide a way forward with this BZ.

- the in-tree cloud provider does not support application credentials [1]. It is currently in maintenance mode and we can't add new features to it.
- both the external cloud provider and the CSI drivers support application credentials [2]
- cluster-image-registry's swift integration also now works with application credentials thanks to https://github.com/openshift/cluster-image-registry-operator/pull/686

It means that when using External cloud provider and CSI migration things should work out of the box. This should become tech preview in 4.10 before becoming GA in a later release.

Clusters using the in-tree cloud provider may partially work with application credentials when using CSI, either by enabling CSI migration (still tech preview) or setting the standard-csi storage class as default, however they can't have Load Balancer integration. This also won't be a supported configuration.

I suggest we close the BZ as there is nothing we can do to support application credentials with the legacy cloud provider and instead follow https://issues.redhat.com/browse/OSASINFRA-2368 for the application credentials RFE.

[1] https://github.com/openshift/kubernetes/blob/fdb6e2b/staging/src/k8s.io/legacy-cloud-providers/openstack/openstack.go#L164-L180
[2] https://github.com/openshift/cloud-provider-openstack/blob/cab1ef2/pkg/client/client.go#L72-L74

Comment 9 Pierre Prinetti 2022-03-23 09:53:42 UTC
Closing as WONTFIX for 4.10 and earlier releases. Application credentials support is treated as an RFE and we target 4.11 for it (with the general availability of the external cloud provider).


Note You need to log in before you can comment on or make changes to this bug.