What problem/issue/behavior are you having trouble with? What do you expect to see? While trying to install an OCP 4 cluster on openstack with application credentials, the cluster itself works fine, but it is not possible to provision volumes on cinder, getting an error similar to: Failed to provision volume with StorageClass "standard": unable to initialize cinder client for region: regionOne, err: cloud provider is not initialized: cannot initialize cloud provider using data from the secret: You must provide a password to authenticate. The issue is mentioned by the following KB article: https://access.redhat.com/solutions/6020241
Thank you for reporting. We plan on tackling this during the 4.10 release cycle. See also https://issues.redhat.com/browse/OSASINFRA-1934
If I'm not mistaken the problem is that the image-registry-operator verifies whether swift is available (https://github.com/openshift/cluster-image-registry-operator/blob/48485bb2206c8829b7b07904e3585816ed39485f/pkg/storage/storage.go#L162) which fails when used with application credentials (see https://bugzilla.redhat.com/show_bug.cgi?id=1991826) so it falls back to using cinder-based PVC's. The default storageClass however is the in-tree (non-CSI) cinder plugin which does not consider application credentials (https://github.com/kubernetes/kubernetes/blob/2a88664eccdf02cd01777b48171873a028117737/staging/src/k8s.io/legacy-cloud-providers/openstack/openstack.go#L158-L173) causing gophercloud to error out (https://github.com/gophercloud/gophercloud/blob/513734676e6495f6fec60e7aaf1f86f1ce807428/auth_options.go#L201-L285).
Removing the Triaged keyword because: * the QE automation assessment (flag qe_test_coverage) is missing
Hello, let me try to summarize the situation and provide a way forward with this BZ. - the in-tree cloud provider does not support application credentials [1]. It is currently in maintenance mode and we can't add new features to it. - both the external cloud provider and the CSI drivers support application credentials [2] - cluster-image-registry's swift integration also now works with application credentials thanks to https://github.com/openshift/cluster-image-registry-operator/pull/686 It means that when using External cloud provider and CSI migration things should work out of the box. This should become tech preview in 4.10 before becoming GA in a later release. Clusters using the in-tree cloud provider may partially work with application credentials when using CSI, either by enabling CSI migration (still tech preview) or setting the standard-csi storage class as default, however they can't have Load Balancer integration. This also won't be a supported configuration. I suggest we close the BZ as there is nothing we can do to support application credentials with the legacy cloud provider and instead follow https://issues.redhat.com/browse/OSASINFRA-2368 for the application credentials RFE. [1] https://github.com/openshift/kubernetes/blob/fdb6e2b/staging/src/k8s.io/legacy-cloud-providers/openstack/openstack.go#L164-L180 [2] https://github.com/openshift/cloud-provider-openstack/blob/cab1ef2/pkg/client/client.go#L72-L74
Closing as WONTFIX for 4.10 and earlier releases. Application credentials support is treated as an RFE and we target 4.11 for it (with the general availability of the external cloud provider).