Bug 2035315 - invalid test cases for AWS passthrough mode
Summary: invalid test cases for AWS passthrough mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.10.0
Assignee: Nobody
QA Contact: wang lin
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-23 14:50 UTC by Joel Diaz
Modified: 2022-03-10 16:36 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:36:23 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 438 0 None open Bug 2035315: fix passthrough test cases 2021-12-23 14:51:34 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:36:34 UTC

Description Joel Diaz 2021-12-23 14:50:20 UTC
Description of problem: There are test cases cover AWS passthrough mode that make incorrect assertions. The test cases only pass due to incorrect setup before the test is run.

https://github.com/openshift/cloud-credential-operator/blob/master/pkg/operator/credentialsrequest/credentialsrequest_controller_test.go#L650-L653


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Run test case "existing passthrough credential"
2. 
3.

Actual results:
Watch it pass even though the assertion isn't made that the target Secret contains the same contents as the original root secret


Expected results:
Should fail because in passthrough mode the target secret should have the same contents as the root secret.


Additional info:

Comment 2 wang lin 2021-12-28 08:38:22 UTC
Verified on 4.10.0-0.nightly-2021-12-23-153012

No function changes, Install an aws cluster with cco default mode and credential has passthrough permission , installation succeed, and test rotation root credentials no regression.

Comment 3 wang lin 2021-12-28 14:02:40 UTC
Read PR more carefully, Do more testing on ocp 4.10.0-0.nightly-2021-12-25-025639

1. Install an aws cluster with cco default mode and credential has passthrough permission , wait for installation successful

2. Patch root credentials with an insuffient one, check cco will set an error condition in CredentialsRequest status and won't update related secret data
$ oc get credentialsrequest -n openshift-cloud-credential-operator openshift-image-registry -o json | jq -r ".status.conditions"
[
  {
    "lastProbeTime": "2021-12-28T13:16:32Z",
    "lastTransitionTime": "2021-12-28T13:16:32Z",
    "message": "cloud creds are insufficient to satisfy CredentialsRequest",
    "reason": "CloudCredsInsufficient",
    "status": "True",
    "type": "InsufficientCloudCreds"
  }
]
$ oc get secret aws-creds -n kube-system -o json | jq -r .data
{
  "aws_access_key_id": "QUtJQVVNUUFIQ0pPRU9XXXXXXXX",
  "aws_secret_access_key": "N3lpeVJ4V0R6ekRUSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
[lwan@lwan Downloads]$ oc get secret ebs-cloud-credentials -n openshift-cluster-csi-drivers -o json | jq -r .data
{
  "aws_access_key_id": "QUtJQVVNUUFIQ0pPTlY2XXXXXXX",
  "aws_secret_access_key": "Y2ljd2N0bGswakZrSXl3SVXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  "credentials": "W2RlZmF1bHRdCmF3c19hY2Nlc3NfXXXXXXXXXXXXXXXX"
}

3. Force cco mode to Passthrough, then cco will bypass credentials validation
oc patch cloudcredential cluster --type 'merge' -p '{"spec": {"credentialsMode": "Passthrough"}}'

4. Check cco will update related secret data directly
$ oc get secret aws-creds -n kube-system -o json | jq -r .data
{
  "aws_access_key_id": "QUtJQVVNUUFIQ0pPRU9XXXXXXXX",
  "aws_secret_access_key": "N3lpeVJ4V0R6ekRUSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
[lwan@lwan Downloads]$ oc get secret ebs-cloud-credentials -n openshift-cluster-csi-drivers -o json | jq -r .data
{
  "aws_access_key_id": "QUtJQVVNUUFIQ0pPRU9XXXXXXXX",
  "aws_secret_access_key": "N3lpeVJ4V0R6ekRUSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
  "credentials": "W2RlZmF1bHRdCmF3c19hY2Nlc3NfXXXXXXXXXXXXXXXX"
}

Comment 8 errata-xmlrpc 2022-03-10 16:36:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.