Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13624

[ccoctl] AWS China s3 endpoint is not correct

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Critical Critical
    • None
    • 4.13.0, 4.12.z, 4.11.z, 4.10.z, 4.14.0
    • Cloud Credential Operator
    • None
    • Critical
    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The correct endpoint is s3.<region>.amazonaws.com.cn, by simply search %s.s3.%s.amazonaws.com in CCO repo, I found some hard codes [1][2][3][4] are being used.

This will cause:
* ccoctl aws create-all w/o --create-private-s3-bucket
2023/05/15 02:06:12 Generating RSA keypair
2023/05/15 02:06:14 Writing private key to awscn-cr/serviceaccount-signer.private
2023/05/15 02:06:14 Writing public key to awscn-cr/serviceaccount-signer.public
2023/05/15 02:06:14 Copying signing key for use by installer
2023/05/15 02:06:20 Bucket js-awscn-oidc created
2023/05/15 02:06:21 OpenID Connect discovery document in the S3 bucket js-awscn-oidc at .well-known/openid-configuration updated
2023/05/15 02:06:21 Reading public key
2023/05/15 02:06:22 JSON web key set (JWKS) in the S3 bucket js-awscn-oidc at keys.json updated
2023/05/15 02:06:27 Failed to create Identity provider: failed to get fingerprint: dial tcp: lookup js-awscn-oidc.s3.cn-north-1.amazonaws.com on 10.11.5.19:53: no such host

* ccoctl aws create-all with --create-private-s3-bucket
2023/05/15 02:10:20 Generating RSA keypair
2023/05/15 02:10:22 Writing private key to awscn2-cr/serviceaccount-signer.private
2023/05/15 02:10:22 Writing public key to awscn2-cr/serviceaccount-signer.public
2023/05/15 02:10:22 Copying signing key for use by installer
2023/05/15 02:10:29 Bucket js-awscn2-oidc created
2023/05/15 02:10:36 CloudFront origin access identity created with ID EVBG3EU7J3SX3, waiting 30s for it to become active
2023/05/15 02:11:12 Failed to create Identity provider: failed to add policy for the bucket js-awscn2-oidc: MalformedPolicy: Invalid principal in policy
        status code: 400, request id: 7M7NC6VPHSFJ0WHJ, host id: /6c0HLoGdDDqgE8J1N6O3XUNEb/ltRgizBqu3t/HsxHmYWmjv4kDDy/UXdHP3IZY3S3VXI3qjWc=

[1] https://github.com/openshift/cloud-credential-operator/blob/master/pkg/cmd/provisioning/aws/create_identity_provider.go#L118-L119
[2] https://github.com/openshift/cloud-credential-operator/blob/master/pkg/cmd/provisioning/aws/create_identity_provider.go#L136
[3] https://github.com/openshift/cloud-credential-operator/blob/master/pkg/cmd/provisioning/aws/create_identity_provider.go#L433
[3] https://github.com/openshift/cloud-credential-operator/blob/master/pkg/cmd/provisioning/aws/create_identity_provider.go#L565



 

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-05-12-121801
 

      How reproducible:

      Always
 

      Steps to Reproduce:

      1. Run command ./ccoctl aws create-all --name=<sts-name> --create-private-s3-bucket --region=cn-north-1 --credentials-requests-dir=./credrequests-aws --output-dir awscn2-cr on AWS China regions

      Actual results:

      Failed to create Identity provider
 

      Expected results:

      Create resources successfully.
 

      Additional info:

       

              jstuever@redhat.com Jeremiah Stuever
              yunjiang-1 Yunfei Jiang
              Jianping Shu Jianping Shu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: