Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-15467

Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

XMLWordPrintable

    • Moderate
    • None
    • 2
    • Sprint 238, Sprint 239, Sprint 240
    • 3
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, the Ingress Operator did not include an Amazon Web Services (AWS) permission in its cloud credentials request. This impacted the management of domain name system (DNS) records in the Commercial Cloud Services (C2S) ` us-iso-east-1` and Secret Commercial Cloud Services (SC2S) `us-isob-east-1` AWS Regions. For example, if you installed an {product-title} cluster in the C2S or SC2S AWS Region, the Ingress Operator failed to publish DNS records for the Route 53 service and you would receive an error message similar to the following example:

      [source,terminal]
      ----
      The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User: [...] is not authorized to perform: route53:ListTagsForResources on resource: [...]
      ----

      The {product-title} {product-version} release fixes this issue by adding the `route53:ListTagsForResources` permission to any Ingress Operator's cloud credentials request, so that the operator can publish DNS records in the previously stated AWS Regions for the Route 53 service.

      (link:https://issues.redhat.com/browse/OCPBUGS-15467[OCPBUGS-15434])
      Show
      Previously, the Ingress Operator did not include an Amazon Web Services (AWS) permission in its cloud credentials request. This impacted the management of domain name system (DNS) records in the Commercial Cloud Services (C2S) ` us-iso-east-1` and Secret Commercial Cloud Services (SC2S) `us-isob-east-1` AWS Regions. For example, if you installed an {product-title} cluster in the C2S or SC2S AWS Region, the Ingress Operator failed to publish DNS records for the Route 53 service and you would receive an error message similar to the following example: [source,terminal] ---- The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User: [...] is not authorized to perform: route53:ListTagsForResources on resource: [...] ---- The {product-title} {product-version} release fixes this issue by adding the `route53:ListTagsForResources` permission to any Ingress Operator's cloud credentials request, so that the operator can publish DNS records in the previously stated AWS Regions for the Route 53 service. (link: https://issues.redhat.com/browse/OCPBUGS-15467 [ OCPBUGS-15434 ])
    • Bug Fix
    • Done

      Description of problem:

      Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1
      
      During the OpenShift 4 installation in SC2S region us-isob-east-1, the ingress operator degrades due to missing "route53:ListTagsForResources" permission from the "openshift-ingress" CredentialsRequest for which customer proactively raised a PR.
      --> https://github.com/openshift/cluster-ingress-operator/pull/868
      
      The code disables part of the logic for C2S isolated regions here: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L167-L168
      By not setting tagConfig, it results in the m.tags field to be set nil: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L212-L222
      This then drives the logic in the getZoneID method to use either lookupZoneID or lookupZoneIDWithoutResourceTagging: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L280-L284
      BLAB: the lookupZoneIDWithoutResourceTagging method is only ever called for endpoints.AwsIsoPartitionID, endpoints.AwsIsoBPartitionID regions.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Everytime

      Steps to Reproduce:

      1. Create an IPI cluster in  SC2S region us-isob-east-1.
      

      Actual results:

      Ingress operator degrades due to missing "route53:ListTagsForResources" permission with following error.
      ~~~
      The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User ....... rye... is not authorized to perform: route53:ListTagsForResources on resource.... hostedzone/.. because no identify based policy allows the route53:ListTagsForResources
      ~~~

      Expected results:

      Ingress operator should be in available state for new installation.

      Additional info:

       

              mmasters1@redhat.com Miciah Masters
              rhn-support-aygarg Ayush Garg
              Melvin Joseph Melvin Joseph
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: