Description of problem: 0000_30_capi-operator_00_credentials-request.yaml should be ignored in "oc adm extract --credentials-requests" Version-Release number of selected component (if applicable): 4.10.0-0.nightly-2021-12-23-153012 How reproducible: With “oc adm release extract registry.ci.openshift.org/ocp/release:4.10.0-0.ci-2021-12-23-133912 --credentials-requests -a pull-secret” Or add “--cloud azure” Got 0000_30_capi-operator_00_credentials-request.yaml secretRef: name: azure-cloud-credentials namespace: openshift-cluster-api When users follow Ref [1][2][3] to create a cluster with manual cco, Bootstrap failed with “failed to create some manifests: "0000_30_capi-operator_00_credentials-secret.yaml": failed to create secrets.v1./azure-cloud-credentials -n openshift-cluster-api: namespaces "openshift-cluster-api" not found” If ignored the openshift-cluster-api/azure-cloud-credentials credentials request, the install succeeded. Expect: if the capi-operator has not yet been supported in 4.10, do not list the capi-operator credentials request in “oc adm extract --credentials-requests”. Platform: Azure, AWS, GCP Ref: [1] https://docs.openshift.com/container-platform/4.9/installing/installing_aws/manually-creating-iam.html [2] https://docs.openshift.com/container-platform/4.9/installing/installing_azure/manually-creating-iam-azure.html [3] https://docs.openshift.com/container-platform/4.9/installing/installing_gcp/manually-creating-iam-gcp.html
Hi, can you test on later builds? I think it should not be there.
(In reply to Alexander Demicev from comment #1) > Hi, can you test on later builds? I think it should not be there. checked with latest 4.10 version(release:4.10.0-0.nightly-2022-01-05-135407) still has 0000_30_capi-operator_00_credentials-request.yaml
0000_30_capi-operator_00_credentials-request.yaml is a tech preview manifest, CVO will not apply it by default because it has release.openshift.io/feature-gate: "TechPreviewNoUpgrade" annotation. This also means that it will be present in a payload. I believe the fix should be either in cloud credentials operator or documentation.
$ oc adm release extract registry.ci.openshift.org/ocp/release:4.10.0-0.nightly-2022-01-22-102609 --credentials-requests -a ../pull-secret --cloud azure still created 0000_30_capi-operator_00_credentials-request.yaml secretRef: name: azure-cloud-credentials namespace: openshift-cluster-api
Verified on 4.10.0-0.nightly-2022-01-24-020644 test ccoctl tool on AWS/GCP/IBMCloud/AlibabaCloud ccoctl will ignore the CR with "release.openshift.io/feature-gate: TechPreviewNoUpgrade" annotation by default. using --enable-tech-preview parameter can enable operatoring such CR @jdiaz We also need to add Docs to inform the customers not creating static credentials for such feature-gate CredentialsRequest if they don't want to enable a TechPreviewNoUpgrade cluster, otherwise the installation will fail on bootstrap process.
Yes. Perhaps an update to the existing docs with a note like: If you are installing a cluster with Tech Preview features, ensure that you process the list of CredentialsRequests with the '--enable-tech-preview' flag so that any necessary credentials are created for those components. cc @jrouth
I'm not sure why this is "needinfo", I think the info here is clear enough to do a docs fix. Clearing flag and will get the changes for providers that use ccoctl going.
Hi Jeana, there are two parts reference manually creating IAM, one for manual + static mode[1], another for manual + sts mode which uses ccoctl tool[2] , we only fix the ccoctl tool for such scenario, so it would be better to add a note for scenario[1] , note something like if you don't want to enable tech preview feature, please ignore CredentialsRequest with "release.openshift.io/feature-gate: TechPreviewNoUpgrade" annotation and don't create secrets for them, otherwise the installation perhaps fail. [1] https://docs.openshift.com/container-platform/4.9/installing/installing_aws/manually-creating-iam.html#manually-create-iam_manually-creating-iam-aws [2] https://docs.openshift.com/container-platform/4.9/authentication/managing_cloud_provider_credentials/cco-mode-sts.html
Thanks Lin! I think I misinterpreted Joel's statement: "If you are installing a cluster with Tech Preview features, ensure that you process the list of CredentialsRequests with the '--enable-tech-preview' flag so that any necessary credentials are created for those components." I thought he meant for ccoctl/STS, but you are saying ccoctl/STS is taken care of, and that this statement refers to manually processing cred requests when the user is doing it without the help of ccoctl then ("Manually creating IAM" topics)?
Ah my comment #13 is still wrong. It's the opposite user action. I will draft this and get it up so discussion is easier :)
Ok, I have a draft PR up for this. Turned out there was already an alternative approach done for ASH. Will tag Patrick Dillon (who added that bit) in the PR as well. Doc draft: https://github.com/openshift/openshift-docs/pull/42921
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056
Docs for this change are live. Example: https://docs.openshift.com/container-platform/4.10/installing/installing_aws/manually-creating-iam.html#manually-create-iam_manually-creating-iam-aws ("IMPORTANT" admonition in step 6)