Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2038405

Summary: openshift-e2e-aws-workers-rhel-workflow in CI step registry broken
Product: OpenShift Container Platform Reporter: Gabe Montero <gmontero>
Component: InstallerAssignee: Nobody <nobody>
Installer sub component: openshift-installer QA Contact: Gaoyun Pei <gpei>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: adam.kaplan, anarayan, jstuever, jupierce, padillon, stbenjam, tsmetana
Version: 4.10   
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
-
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 10:41:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gabe Montero 2022-01-07 20:34:18 UTC 
The mirror.openshift.com change Justin Pierce announced with https://mailman-int.corp.redhat.com/archives/aos-devel/2021-December/msg00145.html changed the authentication method for the RPM mirror, and anything in CI using the openshift-e2e-aws-workers-rhel workflow permanently fails with repoquery's to mirror.openshift.com failing with a 401.

The workflow is defined at https://github.com/openshift/release/tree/master/ci-operator/step-registry/openshift/e2e/aws/workers-rhel

See https://k8s-testgrid.appspot.com/redhat-openshift-ocp-release-4.10-informing#periodic-ci-openshift-release-master-nightly-4.10-e2e-aws-workers-rhel7 for an example of the recent failures,

I learned of this auth change after emailing Justin, who in turn added Patrick Dillon and Jeremiah Stuever since they are listed in 
https://github.com/openshift/release/blob/master/ci-operator/step-registry/openshift/e2e/aws/workers-rhel/OWNERS

The details from Justin on what changes are needed are in that email, but I'll copy/paste those here for convenience.... I picked this BZ component given this step-registry item was introduced with https://issues.redhat.com/browse/CORS-1711

The authentication method for accessing anything under https://mirror.openshift.com/enterprise/* has changed from being certificate based to basic auth. The yum.repo.d configuration file needs to change.

[test]
name = test
baseurl = https://mirror.openshift.com/enterprise/.....
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 0
username = ....
password = ....

I can provide this username and password for you when you are ready if you provide me with a public key. The actual yum configuration file becomes secret at this point unless you somehow dynamically assemble it from other secrets containing just the username and password.
Comment 1 Gabe Montero 2022-01-07 20:42:48 UTC 
The "I" is "I can provide this username and password for you when you are ready if you provide me with a public key." is Justin Pierce :-)
Comment 2 Kiran Thyagaraja 2022-01-11 15:22:57 UTC 
*** Bug 2035100 has been marked as a duplicate of this bug. ***
Comment 3 Patrick Dillon 2022-01-13 18:53:10 UTC 
Kiran as working on this, but I am setting to blocker- as this affects CI and not the release image.
Comment 5 Gaoyun Pei 2022-02-12 07:08:25 UTC 
Yum repo updated for RHEL machines in CI, PR was merged, move bug to verified.
Comment 6 Patrick Dillon 2022-03-01 18:39:25 UTC 
*** Bug 2050170 has been marked as a duplicate of this bug. ***
Comment 10 errata-xmlrpc 2022-08-10 10:41:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069