Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-22774

There is no clear error log when create sts cluster with KMS key without install role in it

    XMLWordPrintable

Details

    • No
    • Sprint 244
    • 1
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, when you specified Key Management Service (KMS) encryption keys in the `kmsKeyARN` section of the `install-config.yaml` configuration file for installing a cluster on Amazon Web Services (AWS), permission roles were not added during the cluster installation operation. With this update, after you specify the keys in the configuration file, an additional set of keys are added to the cluster so that the cluster successfully installs. If you specify the `credentialsMode` parameter in the configuration file, all KMS encryption keys are ignored. (link:https://issues.redhat.com/browse/OCPBUGS-22774[*OCPBUGS-22774*])
      Show
      Previously, when you specified Key Management Service (KMS) encryption keys in the `kmsKeyARN` section of the `install-config.yaml` configuration file for installing a cluster on Amazon Web Services (AWS), permission roles were not added during the cluster installation operation. With this update, after you specify the keys in the configuration file, an additional set of keys are added to the cluster so that the cluster successfully installs. If you specify the `credentialsMode` parameter in the configuration file, all KMS encryption keys are ignored. (link: https://issues.redhat.com/browse/OCPBUGS-22774 [* OCPBUGS-22774 *])
    • Bug Fix
    • Done

    Description

      This is a clone of issue OCPBUGS-13664. The following is the description of the original issue:

      Description of problem:

      There is no clear error log when create sts cluster with KMS key without install role in it

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      always

      Steps to Reproduce:

      1.Prepare KMS with aws command
         aws kms create-key --tags TagKey=Purpose,TagValue=Test --description "kms Key" 2.Create sts cluster with KMS key 
      
      rosa create cluster --cluster-name ying-k1 --sts --role-arn arn:aws:iam::301721915996:role/ying16-Installer-Role --support-role-arn arn:aws:iam::301721915996:role/ying16-Support-Role --controlplane-iam-role arn:aws:iam::301721915996:role/ying16-ControlPlane-Role --worker-iam-role arn:aws:iam::301721915996:role/ying16-Worker-Role --operator-roles-prefix ying-k1-e2g3 --oidc-config-id 23ggvdh2jouranue87r5ujskp8hctisn --region us-west-2 --version 4.12.15 --replicas 2 --compute-machine-type m5.xlarge --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23 --kms-key-arn arn:aws:kms:us-west-2:301721915996:key/c60b5a31-1a5c-4d73-93ee-67586d0eb90d 

      Actual results:

      It is failed. Here is the install log 
      http://pastebin.test.redhat.com/1100008

      Expected results:

      There should be a detailed error message for the KMS that has no installer role 

      Additional info:

      It can be successful if set install role arn to KMS key 
        {
          "Version": "2012-10-17",
          "Id": "key-default-1",
          "Statement": [
              {
                  "Sid": "Enable IAM User Permissions",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": [
                         "arn:aws:iam::301721915996:role/ying16-Installer-Role",
                          "arn:aws:iam::301721915996:root"
                      ]
                  },
                  "Action": "kms:*",
                  "Resource": "*"
              }
          ]
      }

      Attachments

        Issue Links

          Activity

            People

              ppinjark@redhat.com pawan pinjarkar
              openshift-crt-jira-prow OpenShift Prow Bot
              Yunfei Jiang Yunfei Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: