Bug 2068180 - OCP UPI on AWS with STS enabled is breaking the Ingress operator
Summary: OCP UPI on AWS with STS enabled is breaking the Ingress operator
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.9
Hardware: x86_64
OS: Linux
Target Milestone: ---
: 4.11.0
Assignee: Rafael Fonseca
QA Contact: Yunfei Jiang
Depends On:
TreeView+ depends on / blocked
Reported: 2022-03-24 15:16 UTC by David Johnston
Modified: 2022-08-10 19:01 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2022-08-10 11:01:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift installer pull 5974 0 None open Bug 2068180: update doc for DNS and disconnected clusters 2022-06-07 15:47:01 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 11:02:25 UTC

Internal Links: 2096434

Description David Johnston 2022-03-24 15:16:46 UTC
Description of problem:
Ingress operator is trying to contact sts directly  "sts.amazonaws.com" as opposed to the configured VPC endpoint for the cluster. To be clear this is not ok as the cluster needs to be as air-gapped as possible. Also worth noting that other OCP components work fine with the STS VPC endpoint

OpenShift release version:

Cluster Platform:

How reproducible:

Actual results:

Expected results:

Impact of the problem:

Additional info:
Support case: 03157778

** Please do not disregard the report template; filling the template out as much as possible will allow us to help you. Please consider attaching a must-gather archive (via `oc adm must-gather`). Please review must-gather contents for sensitive information before attaching any must-gathers to a bugzilla report.  You may also mark the bug private if you wish.

Comment 2 David Johnston 2022-03-25 13:46:41 UTC
Is there any possible known workaround for this in the meantime?

Comment 3 Miciah Dashiel Butler Masters 2022-03-29 15:38:48 UTC
After some discussion offline, this appears to be a configuration issue.  Setting blocker-, low priority.  

For disconnected clusters, OpenShift can be configured not to manage DNS, and the cluster administrator can configure DNS manually.  Use the following command to configure OpenShift not to manage DNS:

    oc patch dnses.config.openshift.io/cluster --type=merge --patch='{"spec":{"privateZone":null,"publicZone":null}}' 

We may need a documentation change for this issue.

Comment 5 Patrick Dillon 2022-04-05 01:04:40 UTC
Moving this to the installer. We will update docs to indicate that disconnected clusters must drop the zones from the dns configs.

Comment 13 errata-xmlrpc 2022-08-10 11:01:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.