Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-15976

[Azure] in Azure workload identity cluster the ingress DNS record failed to be published to public zone

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Critical Critical
    • None
    • 4.14.0
    • Networking / router
    • None
    • Important
    • No
    • 1
    • Sprint 239
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      in Azure workload identity cluster the ingress DNS record failed to be published to public zone

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-07-05-191022

      How reproducible:

      100%

      Steps to Reproduce:

      1. install Azure cluster configured for manual mode with Azure Workload Identity 
(see https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitems?query=OCP-64892)

2. check dnsrecords of default-wildcard
$ oc -n openshift-ingress-operator get dnsrecords default-wildcard -oyaml

3.

      Actual results:

      the dns record is published to private zone but failed to public zone.

$ oc -n openshift-ingress-operator get dnsrecords default-wildcard -oyaml
<---snip--->
spec:
  dnsManagementPolicy: Managed
  dnsName: '*.apps.mihuang0710.qe.azure.devcluster.openshift.com.'
  recordTTL: 30
  recordType: A
  targets:
  - 20.186.x.x
status:
  observedGeneration: 1
  zones:
  - conditions:
    - lastTransitionTime: "2023-07-10T01:59:08Z"
      message: The DNS provider succeeded in ensuring the record
      reason: ProviderSuccess
      status: "True"
      type: Published
    dnsZone:
      id: /subscriptions/xxxxx/resourceGroups/mihuang0710/providers/Microsoft.Network/privateDnsZones/mihuang0710.qe.azure.devcluster.openshift.com
  - conditions:
    - lastTransitionTime: "2023-07-10T01:59:19Z"
      message: 'The DNS provider failed to ensure the record: failed to update dns
        a record: *.apps.mihuang0710.qe.azure.devcluster.openshift.com: dns.RecordSetsClient#CreateOrUpdate:
        Failure responding to request: StatusCode=403 -- Original Error: autorest/azure:
        Service returned an error. Status=403 Code="AuthorizationFailed" Message="The
        client ''cbbc2e50-a33e-493a-b9bb-xxxxx'' with object id ''cbbc2e50-a33e-493a-b9bb-xxxxx''
        does not have authorization to perform action ''Microsoft.Network/dnsZones/A/write''
        over scope ''/subscriptions/xxxxx/resourceGroups/os4-common/providers/Microsoft.Network/dnsZones/qe.azure.devcluster.openshift.com/A/*.apps.mihuang0710''
        or the scope is invalid. If access was recently granted, please refresh your
        credentials."'
      reason: ProviderError
      status: "False"
      type: Published
    dnsZone:
      id: /subscriptions/xxxxx/resourceGroups/os4-common/providers/Microsoft.Network/dnszones/qe.azure.devcluster.openshift.com

      Expected results:

      ingress DNS records should be published to public zone.

      Additional info:

       

            mmasters1@redhat.com Miciah Masters
            rhn-support-hongli Hongan Li
            Hongan Li Hongan Li
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: