Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: 4.16.0
Affects Version/s: 4.14, 4.15
Component/s: Cloud Credential Operator
Labels:
- OTA
- pre-merge-verify

Severity:
Moderate
Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:
N/A
Release Note Type:
Release Note Not Required
Target Version:

4.16.0
Target Backport Versions:

4.16

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

ccoctl consumes CredentialsRequests extracted from OpenShift releases and manages secrets associated with those requests for the cluster. Over time, ccoctl has grown a number of CredentialRequest filters, including deletion annotations in ~~CCO-175~~ and tech-preview annotations in cco#444.

But with ~~OTA-559~~, 4.14 and later oc adm release extract ... learned about an --included parameter, which allows oc to perform that "will the cluster need this credential?" filtering, and there is no longer a need for ccoctl to perform that filtering, or for ccoctl callers to have to think through "do I need to enable tech-preview CRs for this cluster or not?".

Version-Release number of selected component (if applicable):

4.14 and later.

How reproducible:

100%.

Steps to Reproduce:

$ cat <<EOF >install-config.yaml 
> apiVersion: v1
> platform:
>   gcp:
>     dummy: data
> featureSet: TechPreviewNoUpgrade
> EOF
$ oc adm release extract --included --credentials-requests --install-config install-config.yaml --to credentials-requests quay.io/openshift-release-dev/ocp-release:4.14.0-rc.2-x86_64
$ ccoctl gcp create-all --dry-run --name=test --region=test --project=test --credentials-requests-dir=credentials-requests

Actual results:

ccoctl doesn't dry-run create the TechPreviewNoUpgrade openshift-cluster-api-gcp CredentialsRequest unless you pass it {--enable-tech-preview}}.

Expected results:

ccoctl does dry-run create the TechPreviewNoUpgrade openshift-cluster-api-gcp CredentialsRequest unless you pass it --enable-tech-preview=false.

Additional info:

Longer-term, we likely want to go through some phases of deprecating and maybe eventually removing --enable-tech-preview and the ccoctl-side filtering. But for now, I think we want to pivot to defaulting to true, so that anyone with existing flows that do not include the new --included extraction has an easy way to keep their workflow going (they can set --enable-tech-preview=false). And I think we should backport that to 4.14's ccoctl to simplify OSDOCS-4158's docs#62148. But we're close enough to 4.14's expected GA, that it's worth some consensus-building and alternative consideration, before trying to rush changes back to 4.14 branches.

Attachments

Issue Links

links to

openshift/oc#1551: OCPBUGS-19807: pkg/cli/admin/release/extract: Log a warning on --credentials-requests without --included

RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

Activity

People

Assignee:: Jeremiah Stuever

Reporter:: W. Trevor King

QA Contact:: Jianping Shu

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2023/09/26 7:03 PM

Updated:: 2024/01/19 6:30 PM