-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
4.20, 4.21, 4.22
Description of problem:
Creating a HostedCluster that uses a version of the ControlPlaneOperator > 4.19.z while the Secret Store CSI driver is installed on the Management Cluster will fail to reconcile.
Version-Release number of selected component (if applicable):
How reproducible:
Every Time
Steps to Reproduce:
1. Create a non ARO HCP management cluster
2. Install Secret Store CSI Operator
3. Install Hypershift Operator > 4.19.19
4. Create a Hosted Cluster with the ControlPlaneOperator > 4.19.19
Actual results:
The kube-apiserver will never be created. The following will be observed in the logs:
W1117 20:26:10.464488 1 reflector.go:569] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:108: failed to list *v1.SecretProviderClass: secretproviderclasses.secrets-store.csi.x-k8s.io is forbidden: User "system:serviceaccount:clusters-test-cluster:control-plane-operator" cannot list resource "secretproviderclasses" in API group "secrets-store.csi.x-k8s.io" in the namespace "clusters-test-cluster" E1117 20:26:10.464557 1 reflector.go:166] "Unhandled Error" err="sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:108: Failed to watch *v1.SecretProviderClass: failed to list *v1.SecretProviderClass: secretproviderclasses.secrets-store.csi.x-k8s.io is forbidden: User \"system:serviceaccount:clusters-test-cluster:control-plane-operator\" cannot list resource \"secretproviderclasses\" in API group \"secrets-store.csi.x-k8s.io\" in the namespace \"clusters-test-cluster\"" logger="UnhandledError"
Expected results:
The control plane should be created as normal.
Additional info:
This is partially due to the way that the v2 Component framework in the control plane operator registers components and how rbac for those components is applied.