Description of problem: The CredentialsRequest manifests defined in https://github.com/openshift/cluster-capi-operator/blob/main/manifests/0000_30_capi-operator_00_credentials-request.yaml are missing the .spec.serviceAccountNames list. This means when running in STS credentials mode on AWS or workload-identity mode in GCP, the IAM Role / IAM ServiceAccount cannot be locked down to a specific k8s ServiceAccount inside the cluster. Version-Release number of selected component (if applicable): main branch How reproducible: 100% Steps to Reproduce: 1. View the CredentialsRequests objects in https://github.com/openshift/cluster-capi-operator/blob/main/manifests/0000_30_capi-operator_00_credentials-request.yaml 2. 3. Actual results: See that there is no .spec.serviceAccountNames for the AWS and GCP resources. Expected results: .spec.serviceAccountNames is filled out to specify any k8s ServiceAccounts that will be used for making AWS / GCP API calls. Additional info:
*** Bug 2029833 has been marked as a duplicate of this bug. ***
i failed to realize we already had a bug open for this, but since i have already posted the patch and linked it with this bz i have marked the other as a duplicate. other bz https://bugzilla.redhat.com/show_bug.cgi?id=2029833
Verified on registry.ci.openshift.org/ocp/release:4.10.0-0.nightly-2022-01-05-224703 $ export RELEASE_IMAGE=registry.ci.openshift.org/ocp/release:4.10.0-0.nightly-2022-01-05-224703 ###For gcp platform $ oc adm release extract --credentials-requests --cloud=gcp --to=./credrequests-gcp $RELEASE_IMAGE $ cat credrequests-gcp/0000_30_capi-operator_00_credentials-request.yaml | grep serviceAccountNames serviceAccountNames: Run command `./ccoctl gcp create-all --credentials-requests-dir credrequests-gcp --name lwan-gcp0106 --project openshift-qe --region us-central1 --output-dir gcp-secret` won't hit error for cluster-api CredentialsRequest ###For aws platform $ oc adm release extract --credentials-requests --cloud=aws --to=./credrequests-aws $RELEASE_IMAGE $ cat credrequests-aws/0000_30_capi-operator_00_credentials-request.yaml | grep serviceAccountNames serviceAccountNames: run command `./ccoctl aws create-all --credentials-requests-dir credrequests-aws/ --name lwan-aws-0106 --region us-east-2 --output-dir secret-aws` won't hit error for cluster-api CredentialsRequest
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056