Uploaded image for project: 'FlightPath'
  1. FlightPath
  2. FLPATH-2891

install-helm-chart.sh storage credentials secret name regression causes ingress pod CreateContainerConfigError

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Description

      The install-helm-chart.sh script creates storage credentials secrets with an incorrect naming pattern, causing deployment failures. This is a regression introduced during the chart rename from "ros-helm-chart" to "cost-onprem-chart".

      Impact

      • Severity: High - Blocks installation on OpenShift with JWT authentication enabled
      • Affected Component: insights-ros-ingress pod
      • Symptom: Pod fails with CreateContainerConfigError: secret "cost-onprem-ros-ocp-storage-credentials" not found
      • Installation hangs: The wait_for_pods function waits indefinitely (up to 900s timeout) for the pod to become ready

      Root Cause

      The script's create_storage_credentials_secret() function has incorrect fullname calculation logic that doesn't match the Helm chart's actual fullname template.

      Script Creates: cost-onprem-storage-credentials
      Helm Chart Expects: cost-onprem-ros-ocp-storage-credentials

      Regression History

        1. Original Bug: Secret naming mismatch existed in early versions
          2. Fixed in PR #14 (Oct 13, 2025): commit c253190 "fix: align secret naming with Helm chart fullname template"
      • PR: https://github.com/insights-onprem/cost-onprem-chart/pull/14
      • Author: jordigilh
      • Fix: Changed secret name to ${HELM_RELEASE_NAME}-ros-ocp-storage-credentials
        3. Regression Introduced: Chart rename commits (291b59f, 187108f) reverted the fix
      • The script logic was changed to calculate fullname dynamically
      • New logic assumes fullname is either ${HELM_RELEASE_NAME} or ${HELM_RELEASE_NAME}-cost-onprem
      • Does not account for ros-ocp in the middle of the fullname

      Current Buggy Code (lines 357-364)

      local chart_name="cost-onprem"
local fullname
if [[ "$HELM_RELEASE_NAME" == _"$chart_name"_ ]]; then
    fullname="$HELM_RELEASE_NAME"  # Results in "cost-onprem"
else
    fullname="${HELM_RELEASE_NAME}-${chart_name}"
fi
local secret_name="${fullname}-storage-credentials"  # Results in "cost-onprem-storage-credentials"

      Expected Code (from PR #14 fix)

      local secret_name="${HELM_RELEASE_NAME}-ros-ocp-storage-credentials"

      Steps to Reproduce

        1. Deploy on OpenShift cluster with ODF
          2. Set JWT_AUTH_ENABLED=true
          3. Run: export JWT_AUTH_ENABLED=true && ./install-helm-chart.sh
          4. Observe the ingress pod fails with CreateContainerConfigError
          5. Check pod description: oc describe pod -n cost-onprem [ingress-pod-name]

      Evidence

      Pod Status:

      cost-onprem-ros-ocp-ingress-889b69c5c-59697   1/2   CreateContainerConfigError   0   29m

      Error from pod events:

      Error: secret "cost-onprem-ros-ocp-storage-credentials" not found

      Actual secrets created:

      $ oc get secrets -n cost-onprem | grep credential
cost-onprem-odf-credentials                 Opaque               2      29m
cost-onprem-ros-ocp-db-credentials          Opaque               3      29m
cost-onprem-ros-ocp-sources-credentials     Opaque               1      29m
cost-onprem-storage-credentials             Opaque               2      29m  ← Created by script

      Notice the pattern: All Helm-created secrets use cost-onprem-ros-ocp-* prefix, but the script creates cost-onprem-storage-credentials.

      Workaround

      Manually copy the secret with the correct name:

      oc get secret cost-onprem-storage-credentials -n cost-onprem -o yaml | \
  sed 's/cost-onprem-storage-credentials/cost-onprem-ros-ocp-storage-credentials/' | \
  oc apply -f -

      Then wait for the pod to restart and pick up the correct secret.

      Proposed Fix

      Revert to the PR #14 fix by updating scripts/install-helm-chart.sh line 364:

      # Replace the current logic with the fixed version:
local secret_name="${HELM_RELEASE_NAME}-ros-ocp-storage-credentials"

      This matches the Helm chart's fullname template which consistently uses ${HELM_RELEASE_NAME}-ros-ocp as the base name for all resources.

      Environment Details

      • Repository: https://github.com/insights-onprem/cost-onprem-chart
      • Git Commit: e5d6a2d1b82d0fcaf8594cfae217f61209c10cc2
      • Chart Version: v0.1.8-41-ge5d6a2d
      • OpenShift Version: 4.18.26
      • Kubernetes Version: v1.31.13
      • Helm Release Name: cost-onprem (default)
      • Namespace: cost-onprem (default)
      • Platform: OpenShift
      • JWT Auth: Enabled
      • Storage: ODF (OpenShift Data Foundation)

      Related Issues/PRs

              rh-ee-masayag Moti Asayag
              chadcrum Chad Crum
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: