Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-392

CCO tries to create existing target Secret in STS mode

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • False
    • None
    • False
    • Hide

      Install an STS cluster. Enable the "AWSSecurityTokenService" feature gate.

       

      Create a dummy CR like the following:

      apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  name: test-cr
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    - action:
      - ec2:CreateTags
      effect: Allow
      resource: '*'
    stsIAMRoleARN: whatever
  secretRef:
    name: test-secret
    namespace: default
  serviceAccountNames:
  - default

       

      After the target Secret is created, set .spec.cloudTokenPath = /some/random/path on CredentialsRequest/test-cr. 

       

      The controller is unable to update the cloudTokenPath in the target Secret as it already exists:

      oc logs cloud-credential-operator-d78f4b68c-mrdqt -n openshift-cloud-credential-operator -c cloud-credential-operator | grep -i "running sync" -B 3 -A 11

time="2023-07-02T16:31:22Z" level=debug msg="timed token access cluster detected: true, so not trying to provision with root secret" controller=credreq cr=openshift-cloud-credential-operator/test-cr secret=default/test-secret
time="2023-07-02T16:31:22Z" level=debug msg="running Exists" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=debug msg="target secret exists" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=debug msg="running sync" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=debug msg="running Exists" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=debug msg="target secret exists" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=warning msg="secret did not have expected key: aws_access_key_id, will be regenerated" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=warning msg="secret did not have expected key: aws_secret_access_key" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=info msg="Secret credentials key needs updating, will update Secret contents" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=info msg="stsFeatureGateEnabled: true" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=info msg="stsDetected: true" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=debug msg="actuator detected STS enabled cluster, enabling STS secret brokering for CredentialsRequests providing an IAM Role ARN" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=info msg="creating secret" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=error msg="error creating secret" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-02T16:31:22Z" level=error msg="unexpected error while syncing credentialsrequest: secrets \"test-secret\" already exists" controller=credreq cr=openshift-cloud-credential-operator/test-cr secret=default/test-secret
      Show
      Install an STS cluster. Enable the "AWSSecurityTokenService" feature gate.   Create a dummy CR like the following: apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata:   name: test-cr   namespace: openshift-cloud-credential- operator spec:   providerSpec:     apiVersion: cloudcredential.openshift.io/v1     kind: AWSProviderSpec     statementEntries:     - action:       - ec2:CreateTags       effect: Allow       resource: '*'     stsIAMRoleARN: whatever   secretRef:     name: test-secret     namespace: default   serviceAccountNames:   - default   After the target Secret is created, set .spec.cloudTokenPath = /some/random/path on CredentialsRequest/test-cr.    The controller is unable to update the cloudTokenPath in the target Secret as it already exists: oc logs cloud-credential- operator -d78f4b68c-mrdqt -n openshift-cloud-credential- operator -c cloud-credential- operator | grep -i "running sync" -B 3 -A 11 time= "2023-07-02T16:31:22Z" level=debug msg= "timed token access cluster detected: true , so not trying to provision with root secret" controller=credreq cr=openshift-cloud-credential- operator /test-cr secret= default /test-secret time= "2023-07-02T16:31:22Z" level=debug msg= "running Exists" actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=debug msg= "target secret exists" actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=debug msg= "running sync" actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=debug msg= "running Exists" actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=debug msg= "target secret exists" actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=warning msg= "secret did not have expected key: aws_access_key_id, will be regenerated" actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=warning msg= "secret did not have expected key: aws_secret_access_key" actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=info msg= "Secret credentials key needs updating, will update Secret contents" actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=info msg= "stsFeatureGateEnabled: true " actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=info msg= "stsDetected: true " actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=debug msg= "actuator detected STS enabled cluster, enabling STS secret brokering for CredentialsRequests providing an IAM Role ARN" actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=info msg= "creating secret" actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=error msg= "error creating secret" actuator=aws cr=openshift-cloud-credential- operator /test-cr time= "2023-07-02T16:31:22Z" level=error msg= "unexpected error while syncing credentialsrequest: secrets \" test-secret\ " already exists" controller=credreq cr=openshift-cloud-credential- operator /test-cr secret= default /test-secret

      In the new STS mode (cf. https://issues.redhat.com/browse/CCO-366), CCO creates/updates the target Secret depending on its existence - the Secret is created iff it does not exist yet. Under the hood (https://github.com/openshift/cloud-credential-operator/blob/0c629a5d0fcd1065ad6bda6a8d03976090178af4/pkg/operator/credentialsrequest/credentialsrequest_controller.go#L671) either the Create() or the Update() function is called.

       

      The two aforementioned functions does the same thing as they both call the same sync function, in which CCO tries to createSTSSecret(). 

       

      However this createSTSSecret() function fails when the target Secret already exists. So the target Secret cannot be updated. 

              skuznets@redhat.com Steve Kuznetsov (Inactive)
              fxierh Feilian Xie
              Feilian Xie Feilian Xie
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: