2117474 – ccoctl panics while trying to create a secret from credential request which does not have providerspec within it

Bug 2117474 - ccoctl panics while trying to create a secret from credential request which does not have providerspec within it

Summary: ccoctl panics while trying to create a secret from credential request which d...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Cloud Credential Operator
Sub Component:
Version:	4.12
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.12.0
Assignee:	Nobody
QA Contact:	Jianping SHu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-08-11 06:02 UTC by Karthik K N
Modified:	2023-01-17 19:55 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-01-17 19:54:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	https://github.com/openshift cloud-credential-operator pull 484	None	None	None	2022-08-11 06:02:37 UTC
Github	openshift cloud-credential-operator pull 484	None	open	Fix panic when the Provider spec is empty in credential request	2022-08-11 06:02:37 UTC
Red Hat Product Errata	RHSA-2022:7399	None	None	None	2023-01-17 19:55:07 UTC

Description Karthik K N 2022-08-11 06:02:37 UTC

Description of problem:
ccoctl binary panics while creating a secret from CR.


Version-Release number of selected component (if applicable):
4.12

How reproducible:

Try creating a secret from credential request file which does not have providerspec within it or which is wrongly indented.

Sample credential request file

[root@rdr-mdnnew2-6fc4-syd04-bastion-0 ccoctl]# cat reqs/cr.yaml 
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
name: powervs-block-csi-driver-operator
namespace: openshift-cloud-credential-operator
annotations:
 include.release.openshift.io/self-managed-high-availability: "true"
spec:
secretRef:
  name: ibm-powervs-cloud-credentials
  namespace: openshift-cluster-csi-drivers
providerSpec:
 apiVersion: cloudcredential.openshift.io/v1
 kind: IBMCloudPowerVSProviderSpec
 policies:
   - attributes:
       - name: serviceName
         value: power-iaas
     roles:
       - crn:v1:bluemix:public:iam::::role:Operator
       - crn:v1:bluemix:public:iam::::role:Editor
       - crn:v1:bluemix:public:iam::::role:Viewer
       - crn:v1:bluemix:public:iam::::serviceRole:Reader
       - crn:v1:bluemix:public:iam::::serviceRole:Manager
   - attributes:
       - name: resourceType
         value: resource-group
     roles:
       - crn:v1:bluemix:public:iam::::role:Viewer


Panic Message:


[root@rdr-mdnnew2-6fc4-syd04-bastion-0 ccoctl]# ./main ibmcloud create-service-id --name service1 --credentials-requests-dir reqs
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x7c2a44]

goroutine 1 [running]:
github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1.(*ProviderCodec).DecodeProviderSpec(0x629f8?, 0x0?, {0x1f23868?, 0xc0001a0a80?})
	/root/cso/cco/cloud-credential-operator/pkg/apis/cloudcredential/v1/codec.go:69 +0x54
github.com/openshift/cloud-credential-operator/pkg/cmd/provisioning/ibmcloud.(*ServiceID).Validate(0xc000033b60)
	/root/cso/cco/cloud-credential-operator/pkg/cmd/provisioning/ibmcloud/service_id.go:89 +0x74
github.com/openshift/cloud-credential-operator/pkg/cmd/provisioning/ibmcloud.createServiceIDs({0x1f382e8?, 0xc00079e0c0}, 0xc000430bf0, {0x7fffcfe2f569, 0x8}, {0x0?, 0xc000767ee8?}, {0x7fffcfe2f58d, 0x4}, {0xc000044104, ...}, ...)
	/root/cso/cco/cloud-credential-operator/pkg/cmd/provisioning/ibmcloud/create_service_id.go:118 +0x198
github.com/openshift/cloud-credential-operator/pkg/cmd/provisioning/ibmcloud.createServiceIDCmd(0xc000791900?, {0x1b584f5?, 0x4?, 0x4?})
	/root/cso/cco/cloud-credential-operator/pkg/cmd/provisioning/ibmcloud/create_service_id.go:81 +0x17c
github.com/spf13/cobra.(*Command).execute(0xc000791900, {0xc000543ec0, 0x4, 0x4})
	/root/cso/cco/cloud-credential-operator/vendor/github.com/spf13/cobra/command.go:856 +0x56c
github.com/spf13/cobra.(*Command).ExecuteC(0xc00075d180)
	/root/cso/cco/cloud-credential-operator/vendor/github.com/spf13/cobra/command.go:974 +0x36c
github.com/spf13/cobra.(*Command).Execute(...)
	/root/cso/cco/cloud-credential-operator/vendor/github.com/spf13/cobra/command.go:902
main.main()
	/root/cso/cco/cloud-credential-operator/cmd/ccoctl/main.go:27 +0x100

Comment 2 Jianping SHu 2022-08-11 14:17:07 UTC

Reproduced with the above cr.yaml(wrong ident for providerSpec) and old version ccoctl
[cloud-user@preserve-for-hive-test ]$ ccoctl ibmcloud create-service-id --name jshu-service1 --credentials-requests-dir ./reqs
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xc3bb6e]

goroutine 1 [running]:
github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1.(*ProviderCodec).DecodeProviderSpec(0x203000?, 0xc00087bb38?, {0x238d840?, 0xc00029b800?})
	/go/src/github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1/codec.go:69 +0x2e
github.com/openshift/cloud-credential-operator/pkg/cmd/provisioning/ibmcloud.(*ServiceID).Validate(0xc00029a600)
	/go/src/github.com/openshift/cloud-credential-operator/pkg/cmd/provisioning/ibmcloud/service_id.go:89 +0x79
github.com/openshift/cloud-credential-operator/pkg/cmd/provisioning/ibmcloud.createServiceIDs({0x23a1a70?, 0xc0006ff290}, 0xc0007c61a0, {0x7ffc0a43419e, 0xd}, {0x0?, 0xc00061fd90?}, {0x7ffc0a4341c7, 0x6}, {0xc0000440c4, ...}, ...)
	/go/src/github.com/openshift/cloud-credential-operator/pkg/cmd/provisioning/ibmcloud/create_service_id.go:118 +0x39e
github.com/openshift/cloud-credential-operator/pkg/cmd/provisioning/ibmcloud.createServiceIDCmd(0xc000704000?, {0x1fd52c4?, 0x4?, 0x4?})
	/go/src/github.com/openshift/cloud-credential-operator/pkg/cmd/provisioning/ibmcloud/create_service_id.go:81 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc000704000, {0xc000454e80, 0x4, 0x4})
	/go/src/github.com/openshift/cloud-credential-operator/vendor/github.com/spf13/cobra/command.go:856 +0x67c
github.com/spf13/cobra.(*Command).ExecuteC(0xc0006c3680)
	/go/src/github.com/openshift/cloud-credential-operator/vendor/github.com/spf13/cobra/command.go:974 +0x3b4
github.com/spf13/cobra.(*Command).Execute(...)
	/go/src/github.com/openshift/cloud-credential-operator/vendor/github.com/spf13/cobra/command.go:902
main.main()
	/go/src/github.com/openshift/cloud-credential-operator/cmd/ccoctl/main.go:27 +0x12f


Verified with the above cr.yaml(wrong ident for providerSpec) and new version ccoctl extracted from 4.12.0-0.nightly-2022-08-11-131011
[cloud-user@preserve-for-hive-test ]$ ./ccoctl ibmcloud create-service-id --name jshu-service1 --credentials-requests-dir ./reqs
Error: Failed to validate the serviceID: Spec.ProviderSpec is empty in  credentials request
Usage:
  ccoctl ibmcloud create-service-id [flags]

Flags:
      --credentials-requests-dir string   Directory containing files of CredentialsRequests to create IAM Roles for (can be created by running 'oc adm release extract --credentials-requests --cloud=ibmcloud' against an OpenShift release image)
      --enable-tech-preview               Opt into processing CredentialsRequests marked as tech-preview
  -h, --help                              help for create-service-id
      --name string                       User-defined name for all created IBM Cloud resources (can be separate from the cluster's infra-id)
      --output-dir string                 Directory to place generated files (defaults to current directory)
      --resource-group-name string        Name of the resource group used for scoping the access policies

2022/08/11 10:10:12 Failed to validate the serviceID: Spec.ProviderSpec is empty in  credentials request

Comment 6 errata-xmlrpc 2023-01-17 19:54:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399

Note You need to log in before you can comment on or make changes to this bug.