Hide Forgot
Description of problem: There are test cases cover AWS passthrough mode that make incorrect assertions. The test cases only pass due to incorrect setup before the test is run. https://github.com/openshift/cloud-credential-operator/blob/master/pkg/operator/credentialsrequest/credentialsrequest_controller_test.go#L650-L653 Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Run test case "existing passthrough credential" 2. 3. Actual results: Watch it pass even though the assertion isn't made that the target Secret contains the same contents as the original root secret Expected results: Should fail because in passthrough mode the target secret should have the same contents as the root secret. Additional info:
Verified on 4.10.0-0.nightly-2021-12-23-153012 No function changes, Install an aws cluster with cco default mode and credential has passthrough permission , installation succeed, and test rotation root credentials no regression.
Read PR more carefully, Do more testing on ocp 4.10.0-0.nightly-2021-12-25-025639 1. Install an aws cluster with cco default mode and credential has passthrough permission , wait for installation successful 2. Patch root credentials with an insuffient one, check cco will set an error condition in CredentialsRequest status and won't update related secret data $ oc get credentialsrequest -n openshift-cloud-credential-operator openshift-image-registry -o json | jq -r ".status.conditions" [ { "lastProbeTime": "2021-12-28T13:16:32Z", "lastTransitionTime": "2021-12-28T13:16:32Z", "message": "cloud creds are insufficient to satisfy CredentialsRequest", "reason": "CloudCredsInsufficient", "status": "True", "type": "InsufficientCloudCreds" } ] $ oc get secret aws-creds -n kube-system -o json | jq -r .data { "aws_access_key_id": "QUtJQVVNUUFIQ0pPRU9XXXXXXXX", "aws_secret_access_key": "N3lpeVJ4V0R6ekRUSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" } [lwan@lwan Downloads]$ oc get secret ebs-cloud-credentials -n openshift-cluster-csi-drivers -o json | jq -r .data { "aws_access_key_id": "QUtJQVVNUUFIQ0pPTlY2XXXXXXX", "aws_secret_access_key": "Y2ljd2N0bGswakZrSXl3SVXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "credentials": "W2RlZmF1bHRdCmF3c19hY2Nlc3NfXXXXXXXXXXXXXXXX" } 3. Force cco mode to Passthrough, then cco will bypass credentials validation oc patch cloudcredential cluster --type 'merge' -p '{"spec": {"credentialsMode": "Passthrough"}}' 4. Check cco will update related secret data directly $ oc get secret aws-creds -n kube-system -o json | jq -r .data { "aws_access_key_id": "QUtJQVVNUUFIQ0pPRU9XXXXXXXX", "aws_secret_access_key": "N3lpeVJ4V0R6ekRUSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" } [lwan@lwan Downloads]$ oc get secret ebs-cloud-credentials -n openshift-cluster-csi-drivers -o json | jq -r .data { "aws_access_key_id": "QUtJQVVNUUFIQ0pPRU9XXXXXXXX", "aws_secret_access_key": "N3lpeVJ4V0R6ekRUSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" "credentials": "W2RlZmF1bHRdCmF3c19hY2Nlc3NfXXXXXXXXXXXXXXXX" }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056