Bug 2037331 - Ensure the ccoctl behaviors are similar between aws and gcp on the existing resources
Summary: Ensure the ccoctl behaviors are similar between aws and gcp on the existing r...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.10
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.10.0
Assignee: Akhil Rane
QA Contact: wang lin
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-05 13:07 UTC by wang lin
Modified: 2022-03-10 16:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:37:09 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 441 0 None open Bug 2037331: Make ccoctl gracefully handle existing gcp workload identity resources 2022-01-12 21:18:27 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:37:23 UTC

Description wang lin 2022-01-05 13:07:23 UTC
Description:
When using ccoctl to create resources on aws and gcp with some of resources already existing, it will use the existing ones on aws , conversely, it will throw an error on gcp
###gcp###
$ ./ccoctl gcp create-all --credentials-requests-dir credrequests-gcp --name lwan-gcp0105 --project openshift-qe --region us-central1 --output-dir test-gcp-secret
2022/01/05 20:54:20 Credentials loaded from file "/home/lwan/.gcp/osServiceAccount.json"
2022/01/05 20:54:20 Using existing RSA keypair found at test-gcp-secret/serviceaccount-signer.private
2022/01/05 20:54:20 Copying signing key for use by installer
2022/01/05 20:54:23 Failed to create workload identity pool: failed to create workload identity pool lwan-gcp0105: googleapi: Error 409: Requested entity already exists, alreadyExists
###aws###
$ ./ccoctl aws create-all --credentials-requests-dir credrequests-aws/ --name lwan-aws-0105 --region us-east-2 --output-dir secret-aws
2022/01/05 21:05:14 Using existing RSA keypair found at secret-aws/serviceaccount-signer.private
2022/01/05 21:05:14 Copying signing key for use by installer
2022/01/05 21:05:15 Bucket lwan-aws-0105-oidc already exists and is owned by the user
2022/01/05 21:05:16 OpenID Connect discovery document in the S3 bucket lwan-aws-0105-oidc at .well-known/openid-configuration updated
2022/01/05 21:05:16 Reading public key
2022/01/05 21:05:16 JSON web key set (JWKS) in the S3 bucket lwan-aws-0105-oidc at keys.json updated
2022/01/05 21:05:18 Existing Identity Provider found with ARN: arn:aws:iam::301721915996:oidc-provider/lwan-aws-0105-oidc.s3.us-east-2.amazonaws.com
2022/01/05 21:05:18 Ignoring CredentialsRequest openshift-cloud-credential-operator/cr-test-stale as it is marked for in-cluster deletion
2022/01/05 21:05:19 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-machine-api-aws-cloud-credentials found
2022/01/05 21:05:19 Updated Role policy for Role lwan-aws-0105-openshift-machine-api-aws-cloud-credentials
2022/01/05 21:05:19 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-cloud-credential-operator-cloud-credenti found
2022/01/05 21:05:20 Updated Role policy for Role lwan-aws-0105-openshift-cloud-credential-operator-cloud-credenti
2022/01/05 21:05:20 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-image-registry-installer-cloud-credentia found
2022/01/05 21:05:20 Updated Role policy for Role lwan-aws-0105-openshift-image-registry-installer-cloud-credentia
2022/01/05 21:05:20 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-ingress-operator-cloud-credentials found
2022/01/05 21:05:21 Updated Role policy for Role lwan-aws-0105-openshift-ingress-operator-cloud-credentials
2022/01/05 21:05:21 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-cluster-csi-drivers-ebs-cloud-credential found
2022/01/05 21:05:21 Updated Role policy for Role lwan-aws-0105-openshift-cluster-csi-drivers-ebs-cloud-credential

How reproducible:
Always

Steps to Reproduce:
1. Run the ccoctl create command with the same name twice on both aws and gcp

Actual result:
The behaviors are different between aws and gcp

Expected result:
The behaviors would better to be similar

Comment 2 wang lin 2022-01-14 04:56:52 UTC
Verified on registry.ci.openshift.org/ocp/release:4.10.0-0.ci-2022-01-14-034708

###
Running the below command twice, won't throw error.
$ ./ccoctl gcp create-all --credentials-requests-dir credrequests-gcp --name lwan-gcp0114 --project openshift-qe --region us-central1 --output-dir test-gcp-secret-3
2022/01/14 12:45:06 Credentials loaded from file "/home/lwan/.gcp/osServiceAccount.json"
2022/01/14 12:45:06 Generating RSA keypair
2022/01/14 12:45:09 Writing private key to test-gcp-secret-3/serviceaccount-signer.private
2022/01/14 12:45:09 Writing public key to test-gcp-secret-3/serviceaccount-signer.public
2022/01/14 12:45:09 Copying signing key for use by installer
2022/01/14 12:45:11 Workload identity pool lwan-gcp0114 already exists
2022/01/14 12:45:12 Bucket lwan-gcp0114-oidc already exists
2022/01/14 12:45:13 OpenID Connect discovery document in the S3 bucket lwan-gcp0114-oidc at .well-known/openid-configuration updated
2022/01/14 12:45:13 Reading public key
2022/01/14 12:45:14 JSON web key set (JWKS) in the S3 bucket lwan-gcp0114-oidc at keys.json updated
2022/01/14 12:45:14 Workload identity provider lwan-gcp0114 already exists in pool lwan-gcp0114
2022/01/14 12:45:26 Existing IAM service account lwan-gcp0114-openshift-gcp-ccm found
2022/01/14 12:45:28 Updated policy bindings for IAM service account lwan-gcp0114-openshift-gcp-ccm
2022/01/14 12:45:28 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-cloud-controller-manager-gcp-ccm-cloud-credentials-credentials.yaml
2022/01/14 12:45:40 Existing IAM service account lwan-gcp0114-openshift-cluster-api-gcp found
2022/01/14 12:45:41 Updated policy bindings for IAM service account lwan-gcp0114-openshift-cluster-api-gcp
2022/01/14 12:45:41 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-cluster-api-gcp-cloud-credentials-credentials.yaml
2022/01/14 12:45:52 Existing IAM service account lwan-gcp0114-openshift-machine-api-gcp found
2022/01/14 12:45:53 Updated policy bindings for IAM service account lwan-gcp0114-openshift-machine-api-gcp
2022/01/14 12:45:53 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-machine-api-gcp-cloud-credentials-credentials.yaml
2022/01/14 12:46:04 Existing IAM service account lwan-gcp0114-cloud-credential-operator-gcp-ro-creds found
2022/01/14 12:46:06 Updated policy bindings for IAM service account lwan-gcp0114-cloud-credential-operator-gcp-ro-creds
2022/01/14 12:46:06 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-cloud-credential-operator-cloud-credential-operator-gcp-ro-creds-credentials.yaml
2022/01/14 12:46:16 Existing IAM service account lwan-gcp0114-openshift-image-registry-gcs found
2022/01/14 12:46:19 Updated policy bindings for IAM service account lwan-gcp0114-openshift-image-registry-gcs
2022/01/14 12:46:19 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
2022/01/14 12:46:29 Existing IAM service account lwan-gcp0114-openshift-ingress-gcp found
2022/01/14 12:46:30 Updated policy bindings for IAM service account lwan-gcp0114-openshift-ingress-gcp
2022/01/14 12:46:30 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml
2022/01/14 12:46:41 Existing IAM service account lwan-gcp0114-openshift-gcp-pd-csi-driver-operator found
2022/01/14 12:46:42 Updated policy bindings for IAM service account lwan-gcp0114-openshift-gcp-pd-csi-driver-operator
2022/01/14 12:46:42 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-cluster-csi-drivers-gcp-pd-cloud-credentials-credentials.yaml

Comment 7 errata-xmlrpc 2022-03-10 16:37:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.