Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18782

OpenShift on OpenStack: Password Rotation of OSP User still leads to unknown authentication failures in Keystone

    XMLWordPrintable

Details

    • ?
    • Important
    • No
    • ShiftStack Sprint 242
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, the cloud credentials used in the Manila CSI Driver Operator were cached, resulting in authentication issues if these credentials were rotated. With this update, this issue is resolved. (link:https://issues.redhat.com/browse/OCPBUGS-18782[*OCPBUGS-18782*])
      Show
      Previously, the cloud credentials used in the Manila CSI Driver Operator were cached, resulting in authentication issues if these credentials were rotated. With this update, this issue is resolved. (link: https://issues.redhat.com/browse/OCPBUGS-18782 [* OCPBUGS-18782 *])
    • Bug Fix
    • Done

    Description

      This is a clone of issue OCPBUGS-18475. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-17160. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-14049. The following is the description of the original issue:

      Description of problem:

      After all cluster operators have reconciled after the password rotation, we can still see authentication failures in keystone (attached screenshot of splunk query)

      Version-Release number of selected component (if applicable):

      Environment:
- OpenShift 4.12.10 on OpenStack 16
- The cluster is managed via RHACM, but password rotation shall be done via "regular"  OpenShift means.

      How reproducible:

      Rotated the OpenStack credentials according to the documentation [1]

[1] https://docs.openshift.com/container-platform/4.12/authentication/managing_cloud_provider_credentials/cco-mode-passthrough.html#manually-rotating-cloud-creds_cco-mode-passthrough

      Additional info:

      - we can't trace back where these authentication failures come from - they do disappear after a cluster upgrade (so when nodes are rebooted and all pods are restarted which indicates that there's still a component using the old credentials)
- The relevant technical integration points _seem_ to be working though (LBaaS, CSI, Machine API, Swift)

      What is the business impact? Please also provide timeframe information.

      - We cannot rely on splunk monitoring for authentication issues since it's currently constantly showing authentication errors - We cannot be entirely sure that everything works as expected since we don't know the component that doesn't seem to use the new credentials

       

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-18475 OpenShift on OpenStack: Password Rotation of OSP User still leads to unknown authentication failures in Keystone

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-18475 OpenShift on OpenStack: Password Rotation of OSP User still leads to unknown authentication failures in Keystone

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          GitHub openshift/csi-driver-manila-operator#203: [release-4.11] OCPBUGS-18782: Don't cache OpenStack client

          Web Link RHBA-2023:5350 OpenShift Container Platform 4.11.z bug fix update

          Activity

            People

              sfinucan@redhat.com Stephen Finucane
              openshift-crt-jira-prow OpenShift Prow Bot
              Yaakov Khodorkovski Yaakov Khodorkovski
              Janine Eichler, Mariya Gokhool
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: