Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20478

The secret/vmware-vsphere-cloud-credentials in ns/openshift-cluster-csi-drivers is not synced correctly when updating secret/vsphere-creds in ns/kube-system

    XMLWordPrintable

Details

    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the Cloud Credential Operator did not support updating the vCenter server value in the root secret `vshpere-creds` that is stored in the `kube-system` namespace. As a result, attempting to update this value caused both the old and new values to exist because the component secrets were not synchronized correctly. With this release, the Cloud Credential Operator resets the secret data during synchronization so that updating the vCenter server value is supported. (link:https://issues.redhat.com/browse/OCPBUGS-20478[*OCPBUGS-20478*])
      Show
      * Previously, the Cloud Credential Operator did not support updating the vCenter server value in the root secret `vshpere-creds` that is stored in the `kube-system` namespace. As a result, attempting to update this value caused both the old and new values to exist because the component secrets were not synchronized correctly. With this release, the Cloud Credential Operator resets the secret data during synchronization so that updating the vCenter server value is supported. (link: https://issues.redhat.com/browse/OCPBUGS-20478 [* OCPBUGS-20478 *])
    • Bug Fix
    • Done

    Description

      Description of problem:

      The secret/vmware-vsphere-cloud-credentials in ns/openshift-cluster-csi-drivers is not synced correctly when updating secret/vsphere-creds in ns/kube-system

       

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-10-10-084534

       

      How reproducible:

      Always

       

      Steps to Reproduce:

      1. Before updating the secret

       

      $ oc -n kube-system get secret vsphere-creds -o yaml
apiVersion: v1
data:
  vcenter.devqe.ibmc.devcluster.openshift.com.password: xxx
  vcenter.devqe.ibmc.devcluster.openshift.com.username: xxx
kind: Secret
metadata:
  annotations:
    cloudcredential.openshift.io/mode: passthrough
...

       

       

      Same for the secret/vmware-vsphere-cloud-credentials in ns/openshift-cluster-csi-drivers

       

      $ oc -n openshift-cluster-csi-drivers get secret vmware-vsphere-cloud-credentials -o yaml
apiVersion: v1
data:
  vcenter.devqe.ibmc.devcluster.openshift.com.password: xxx
  vcenter.devqe.ibmc.devcluster.openshift.com.username: xxx
kind: Secret
metadata:
  annotations:
    cloudcredential.openshift.io/credentials-request: openshift-cloud-credential-operator/openshift-vmware-vsphere-csi-driver-operator

       

       

      1. replace secret/vsphere-creds to use new vcenter (just for test)

       

      $ oc -n kube-system get secret vsphere-creds -o yaml 
apiVersion: v1
data:
  vcsa2-qe.vmware.devcluster.openshift.com.password: xxx
  vcsa2-qe.vmware.devcluster.openshift.com.username: xxx
(Updated to vcsa2-qe)

       

      There are two vcenter info in vmware-vsphere-cloud-credentials:

       

      $ oc -n openshift-cluster-csi-drivers get secret vmware-vsphere-cloud-credentials -o yaml
apiVersion: v1
data:
  vcenter.devqe.ibmc.devcluster.openshift.com.password: xxx
  vcenter.devqe.ibmc.devcluster.openshift.com.username: xxx
  vcsa2-qe.vmware.devcluster.openshift.com.password: xxx
  vcsa2-qe.vmware.devcluster.openshift.com.username: xxx
(devqe and vcsa2-qe)

       

       

      1. restore secret/vsphere-creds

       

      $ oc -n kube-system get secret vsphere-creds -o yaml
apiVersion: v1
data:
  vcenter.devqe.ibmc.devcluster.openshift.com.password: xxx
  vcenter.devqe.ibmc.devcluster.openshift.com.username: xxx
(Updated to devqe)

       

      Still two vcenter info in vmware-vsphere-cloud-credentials:

       

      $ oc -n openshift-cluster-csi-drivers get secret vmware-vsphere-cloud-credentials -o yaml
apiVersion: v1
data:
  vcenter.devqe.ibmc.devcluster.openshift.com.password: xxx
  vcenter.devqe.ibmc.devcluster.openshift.com.username: xxx
  vcsa2-qe.vmware.devcluster.openshift.com.password: xxx
  vcsa2-qe.vmware.devcluster.openshift.com.username: xxx
(devqe and vcsa2-qe)

       

       

      Actual results:

      The secret/vmware-vsphere-cloud-credentials is not synced well

       

      Expected results:

      The secret/vmware-vsphere-cloud-credentials should be synced well

       

      Additional info:

      Storage vSphere csi driver controller pods are crash looping.

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-19677 vsphere-cloud-credentials incorrect sync with new created vsphere-creds secret

          • Undefined - Priority not specified.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-23426 The secret/vmware-vsphere-cloud-credentials in ns/openshift-cluster-csi-drivers is not synced correctly when updating secret/vsphere-creds in ns/kube-system

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-23426 The secret/vmware-vsphere-cloud-credentials in ns/openshift-cluster-csi-drivers is not synced correctly when updating secret/vsphere-creds in ns/kube-system

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          links to

          GitHub openshift/cloud-credential-operator#628: OCPBUGS-20478: Explicitly set the vsphere secret credential data on sync.

          Web Link RHEA-2023:7198 rpm

          Activity

            People

              jstuever@redhat.com Jeremiah Stuever
              wduan@redhat.com Wei Duan
              Jianping Shu Jianping Shu
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: