-
Bug
-
Resolution: Done-Errata
-
Undefined
-
4.13, 4.12, 4.11
-
None
-
Moderate
-
No
-
False
-
This is a clone of issue OCPBUGS-8449. The following is the description of the original issue:
—
Description of problem:
Configure diskEncryptionSet as below in install-config.yaml, and not set subscriptionID as it is optional parameter.
install-config.yaml
--------------------------------
compute:
- architecture: amd64
hyperthreading: Enabled
name: worker
platform:
azure:
encryptionAtHost: true
osDisk:
diskEncryptionSet:
resourceGroup: jima07a-rg
name: jima07a-des
replicas: 3
controlPlane:
architecture: amd64
hyperthreading: Enabled
name: master
platform:
azure:
encryptionAtHost: true
osDisk:
diskEncryptionSet:
resourceGroup: jima07a-rg
name: jima07a-des
replicas: 3
platform:
azure:
baseDomainResourceGroupName: os4-common
cloudName: AzurePublicCloud
outboundType: Loadbalancer
region: centralus
defaultMachinePlatform:
osDisk:
diskEncryptionSet:
resourceGroup: jima07a-rg
name: jima07a-des
Then create manifests file and create cluster, installer failed with error:
$ ./openshift-install create cluster --dir ipi --log-level debug
...
INFO Credentials loaded from file "/home/fedora/.azure/osServicePrincipal.json"
FATAL failed to fetch Terraform Variables: failed to fetch dependency of "Terraform Variables": failed to generate asset "Platform Provisioning Check": platform.azure.defaultMachinePlatform.osDisk.diskEncryptionSet: Invalid value: azure.DiskEncryptionSet{SubscriptionID:"", ResourceGroup:"jima07a-rg", Name:"jima07a-des"}: failed to get disk encryption set: compute.DiskEncryptionSetsClient#Get: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidSubscriptionId" Message="The provided subscription identifier 'resourceGroups' is malformed or invalid."
Checked manifest file cluster-config.yaml, and found that subscriptionId is not filled out automatically under defaultMachinePlatform
$ cat cluster-config.yaml
apiVersion: v1
data:
install-config: |
additionalTrustBundlePolicy: Proxyonly
apiVersion: v1
baseDomain: qe.azure.devcluster.openshift.com
compute:
- architecture: amd64
hyperthreading: Enabled
name: worker
platform:
azure:
encryptionAtHost: true
osDisk:
diskEncryptionSet:
name: jima07a-des
resourceGroup: jima07a-rg
subscriptionId: 53b8f551-f0fc-4bea-8cba-6d1fefd54c8a
diskSizeGB: 0
diskType: ""
osImage:
offer: ""
publisher: ""
sku: ""
version: ""
type: ""
replicas: 3
controlPlane:
architecture: amd64
hyperthreading: Enabled
name: master
platform:
azure:
encryptionAtHost: true
osDisk:
diskEncryptionSet:
name: jima07a-des
resourceGroup: jima07a-rg
subscriptionId: 53b8f551-f0fc-4bea-8cba-6d1fefd54c8a
diskSizeGB: 0
diskType: ""
osImage:
offer: ""
publisher: ""
sku: ""
version: ""
type: ""
replicas: 3
metadata:
creationTimestamp: null
name: jimadesa
networking:
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
machineNetwork:
- cidr: 10.0.0.0/16
networkType: OVNKubernetes
serviceNetwork:
- 172.30.0.0/16
platform:
azure:
baseDomainResourceGroupName: os4-common
cloudName: AzurePublicCloud
defaultMachinePlatform:
osDisk:
diskEncryptionSet:
name: jima07a-des
resourceGroup: jima07a-rg
diskSizeGB: 0
diskType: ""
osImage:
offer: ""
publisher: ""
sku: ""
version: ""
type: ""
outboundType: Loadbalancer
region: centralus
publish: External
It works well when setting disk encryption set without subscriptionId under defalutMachinePlatform or controlPlane/compute.
Version-Release number of selected component (if applicable):
4.13.0-0.nightly-2023-03-05-104719
How reproducible:
Always on 4.11, 4.12, 4.13
Steps to Reproduce:
1. Prepare install-config, configure diskEncrpytionSet under defaultMchinePlatform, controlPlane and compute without subscriptionId 2. Install cluster 3.
Actual results:
Cluster is installed successfully
Expected results:
installer failed
Additional info:
- clones
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- links to
-
RHSA-2023:5382
OpenShift Container Platform 4.13.z security update
