Bug 2035903 - One redundant capi-operator credential requests in “oc adm extract --credentials-requests”
Summary: One redundant capi-operator credential requests in “oc adm extract --credenti...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.10.0
Assignee: Nobody
QA Contact: wang lin
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-28 12:38 UTC by MayXu
Modified: 2022-04-27 18:14 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:36:47 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 444 0 None open Bug 2035903: ignore resources with feature-gate annotation 2022-01-17 22:41:51 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:36:59 UTC

Description MayXu 2021-12-28 12:38:05 UTC
Description of problem:
0000_30_capi-operator_00_credentials-request.yaml should be ignored in "oc adm extract --credentials-requests"

Version-Release number of selected component (if applicable):
4.10.0-0.nightly-2021-12-23-153012 

How reproducible:
With “oc adm release extract registry.ci.openshift.org/ocp/release:4.10.0-0.ci-2021-12-23-133912 --credentials-requests -a pull-secret” Or add “--cloud azure” 
Got 0000_30_capi-operator_00_credentials-request.yaml
 secretRef:
    name: azure-cloud-credentials
    namespace: openshift-cluster-api


When users follow Ref [1][2][3] to create a cluster with manual cco, Bootstrap failed with “failed to create some manifests:
"0000_30_capi-operator_00_credentials-secret.yaml": 
failed to create secrets.v1./azure-cloud-credentials -n openshift-cluster-api: namespaces "openshift-cluster-api" not found”

If ignored the openshift-cluster-api/azure-cloud-credentials credentials request, the install succeeded. 

Expect: if the capi-operator has not yet been supported in 4.10, do not list the capi-operator credentials request in “oc adm extract --credentials-requests”.

Platform:  Azure, AWS, GCP

Ref:
[1] https://docs.openshift.com/container-platform/4.9/installing/installing_aws/manually-creating-iam.html
[2] https://docs.openshift.com/container-platform/4.9/installing/installing_azure/manually-creating-iam-azure.html
[3] https://docs.openshift.com/container-platform/4.9/installing/installing_gcp/manually-creating-iam-gcp.html

Comment 1 Alexander Demicev 2022-01-05 15:55:20 UTC
Hi, can you test on later builds? I think it should not be there.

Comment 2 MayXu 2022-01-05 16:12:30 UTC
(In reply to Alexander Demicev from comment #1)
> Hi, can you test on later builds? I think it should not be there.

checked with latest 4.10 version(release:4.10.0-0.nightly-2022-01-05-135407) still has 0000_30_capi-operator_00_credentials-request.yaml

Comment 3 Alexander Demicev 2022-01-17 17:29:22 UTC
0000_30_capi-operator_00_credentials-request.yaml is a tech preview manifest, CVO will not apply it by default because it has release.openshift.io/feature-gate: "TechPreviewNoUpgrade" annotation. This also means that it will be present in a payload. I believe the fix should be either in cloud credentials operator or documentation.

Comment 6 MayXu 2022-01-22 15:27:02 UTC
$ oc adm release extract registry.ci.openshift.org/ocp/release:4.10.0-0.nightly-2022-01-22-102609 --credentials-requests -a ../pull-secret --cloud azure

still created 0000_30_capi-operator_00_credentials-request.yaml
  secretRef:
    name: azure-cloud-credentials
    namespace: openshift-cluster-api

Comment 7 wang lin 2022-01-24 06:01:50 UTC
Verified on 4.10.0-0.nightly-2022-01-24-020644

test ccoctl tool on AWS/GCP/IBMCloud/AlibabaCloud

ccoctl will ignore the CR with "release.openshift.io/feature-gate: TechPreviewNoUpgrade" annotation by default.

using --enable-tech-preview parameter can enable operatoring such CR

@jdiaz We also need to add Docs to inform the customers not creating static credentials for such feature-gate CredentialsRequest if they don't want to enable a TechPreviewNoUpgrade cluster, otherwise the installation will fail on bootstrap process.

Comment 8 Joel Diaz 2022-01-28 13:28:18 UTC
Yes. Perhaps an update to the existing docs with a note like:

If you are installing a cluster with Tech Preview features, ensure that you process the list of CredentialsRequests with the '--enable-tech-preview' flag so that any necessary credentials are created for those components.

cc @jrouth

Comment 11 Jeana Routh 2022-03-04 21:26:04 UTC
I'm not sure why this is "needinfo", I think the info here is clear enough to do a docs fix. Clearing flag and will get the changes for providers that use ccoctl going.

Comment 12 wang lin 2022-03-07 02:01:46 UTC
Hi Jeana, there are two parts reference manually creating IAM, one for manual + static mode[1], another for manual + sts mode which uses ccoctl tool[2] , we only fix the ccoctl tool for such scenario, so it would be better to add a note for scenario[1] , note something like if you don't want to enable tech preview feature, please ignore CredentialsRequest with "release.openshift.io/feature-gate: TechPreviewNoUpgrade"  annotation and don't create secrets for them, otherwise the installation perhaps fail.




[1] https://docs.openshift.com/container-platform/4.9/installing/installing_aws/manually-creating-iam.html#manually-create-iam_manually-creating-iam-aws
[2] https://docs.openshift.com/container-platform/4.9/authentication/managing_cloud_provider_credentials/cco-mode-sts.html

Comment 13 Jeana Routh 2022-03-07 14:42:55 UTC
Thanks Lin! 

I think I misinterpreted Joel's statement:

"If you are installing a cluster with Tech Preview features, ensure that you process the list of CredentialsRequests with the '--enable-tech-preview' flag so that any necessary credentials are created for those components."

I thought he meant for ccoctl/STS, but you are saying ccoctl/STS is taken care of, and that this statement refers to manually processing cred requests when the user is doing it without the help of ccoctl then ("Manually creating IAM" topics)?

Comment 15 Jeana Routh 2022-03-07 15:48:10 UTC
Ah my comment #13 is still wrong. It's the opposite user action. I will draft this and get it up so discussion is easier :)

Comment 16 Jeana Routh 2022-03-07 18:54:33 UTC
Ok, I have a draft PR up for this. Turned out there was already an alternative approach done for ASH. Will tag Patrick Dillon (who added that bit) in the PR as well.

Doc draft: https://github.com/openshift/openshift-docs/pull/42921

Comment 18 errata-xmlrpc 2022-03-10 16:36:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056

Comment 19 Jeana Routh 2022-04-27 18:14:40 UTC
Docs for this change are live. Example:
https://docs.openshift.com/container-platform/4.10/installing/installing_aws/manually-creating-iam.html#manually-create-iam_manually-creating-iam-aws ("IMPORTANT" admonition in step 6)


Note You need to log in before you can comment on or make changes to this bug.