Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-16807

ccoctl does not error when OIDC and installation resource groups are the same

    XMLWordPrintable

Details

    • No
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      ccoctl does not prevent the user from using the same resource group name for the OIDC and installation resource groups which can result in resources existing in the resource group used for cluster installation. The OpenShift installer requires that the installation resource group be empty so OIDC and installation resource groups must be distinct.

ccoctl currently allows for providing either --oidc-resource-group-name and --installation-resource-group name but does not indicate a problem when those resource group names are the same. When the same resource group name is provided using a combination of the --name, --oidc-resource-group-name and --installation-resource-group-name parameters, ccoctl should exit with an error indicating that the resource group names must be different.

      Version-Release number of selected component (if applicable):

      4.14.0

      How reproducible:

      100%

      Steps to Reproduce:

      1. Run ccoctl azure create-all with a combination of --name, --oidc-resource-group-name or --installation-resource-group-name resulting in OIDC and installation resource group names being the same.

./ccoctl azure create-all --name "abutchertest" --region centralus --subscription-id "${SUBSCRIPTION_ID}"--credentials-requests-dir "${MYDIR}/credreqs" --oidc-resource-group-name test "abutchertest" --dnszone-resource-group-name "${DNS_RESOURCE_GROUP}"

ccoctl will default the installation resource group to match the provided --name parameter "abutchertest" which results in OIDC and installation resource groups being "abutchertest" since --oidc-resource-group uses the same name. This means that OIDC resources will be created in the resource group that will be configured for the OpenShift installer within the install-config.yaml.

2. Run the OpenShift installer having set .platform.azure.resourceGroupName in the install-config.yaml to be "abutchertest" and receive error that the installation resource group is not empty when running the installer. The resource identified will contain user-assigned managed identities meant to be created in the OIDC resource group which must be separate from the installation resource group.

FATAL failed to fetch Terraform Variables: failed to fetch dependency of "Terraform Variables": failed to generate asset "Platform Provisioning Check": platform.azure.resourceGroupName: Invalid value: "abutchertest": resource group must be empty but it has 8 resources like...

      Actual results:

      ccoctl allows OIDC and installation resource group names to be the same.

      Expected results:

      ccoctl does not allow OIDC and installation resource groups to be the same.

      Additional info:

       

      Attachments

        Activity

          People

            abutcher@redhat.com Andrew Butcher
            abutcher@redhat.com Andrew Butcher
            Mingxia Huang Mingxia Huang
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: