Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-23426

The secret/vmware-vsphere-cloud-credentials in ns/openshift-cluster-csi-drivers is not synced correctly when updating secret/vsphere-creds in ns/kube-system

XMLWordPrintable

    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, updating the VMware vCenter server in root secret vSphere-creds in the `kube-system` namespace was not supported by the Cloud Credential Operator (CCO). This meant that the component secrets were not synchronized correctly. With this release, the CCO will reset the secret data when synchronized. CCO now supports updating the VMware vCenter server in root secret vSphere-creds in the `kube-system` namespace. (link:https://issues.redhat.com/browse/OCPBUGS-23426[*OCPBUGS-23426*])
      Show
      * Previously, updating the VMware vCenter server in root secret vSphere-creds in the `kube-system` namespace was not supported by the Cloud Credential Operator (CCO). This meant that the component secrets were not synchronized correctly. With this release, the CCO will reset the secret data when synchronized. CCO now supports updating the VMware vCenter server in root secret vSphere-creds in the `kube-system` namespace. (link: https://issues.redhat.com/browse/OCPBUGS-23426 [* OCPBUGS-23426 *])
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-20478. The following is the description of the original issue:

      Description of problem:

      The secret/vmware-vsphere-cloud-credentials in ns/openshift-cluster-csi-drivers is not synced correctly when updating secret/vsphere-creds in ns/kube-system

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-10-10-084534

      How reproducible:

      Always

      Steps to Reproduce:

      1. Before updating the secret
      $ oc -n kube-system get secret vsphere-creds -o yaml
      apiVersion: v1
      data:
        vcenter.devqe.ibmc.devcluster.openshift.com.password: xxx
        vcenter.devqe.ibmc.devcluster.openshift.com.username: xxx
      kind: Secret
      metadata:
        annotations:
          cloudcredential.openshift.io/mode: passthrough
      ...
      

      Same for the secret/vmware-vsphere-cloud-credentials in ns/openshift-cluster-csi-drivers

      $ oc -n openshift-cluster-csi-drivers get secret vmware-vsphere-cloud-credentials -o yaml
      apiVersion: v1
      data:
        vcenter.devqe.ibmc.devcluster.openshift.com.password: xxx
        vcenter.devqe.ibmc.devcluster.openshift.com.username: xxx
      kind: Secret
      metadata:
        annotations:
          cloudcredential.openshift.io/credentials-request: openshift-cloud-credential-operator/openshift-vmware-vsphere-csi-driver-operator
      1. replace secret/vsphere-creds to use new vcenter (just for test)
      $ oc -n kube-system get secret vsphere-creds -o yaml 
      apiVersion: v1
      data:
        vcsa2-qe.vmware.devcluster.openshift.com.password: xxx
        vcsa2-qe.vmware.devcluster.openshift.com.username: xxx
      (Updated to vcsa2-qe)
      

      There are two vcenter info in vmware-vsphere-cloud-credentials:

      $ oc -n openshift-cluster-csi-drivers get secret vmware-vsphere-cloud-credentials -o yaml
      apiVersion: v1
      data:
        vcenter.devqe.ibmc.devcluster.openshift.com.password: xxx
        vcenter.devqe.ibmc.devcluster.openshift.com.username: xxx
        vcsa2-qe.vmware.devcluster.openshift.com.password: xxx
        vcsa2-qe.vmware.devcluster.openshift.com.username: xxx
      (devqe and vcsa2-qe)
      
      1. restore secret/vsphere-creds
      $ oc -n kube-system get secret vsphere-creds -o yaml
      apiVersion: v1
      data:
        vcenter.devqe.ibmc.devcluster.openshift.com.password: xxx
        vcenter.devqe.ibmc.devcluster.openshift.com.username: xxx
      (Updated to devqe)
      

      Still two vcenter info in vmware-vsphere-cloud-credentials:

      $ oc -n openshift-cluster-csi-drivers get secret vmware-vsphere-cloud-credentials -o yaml
      apiVersion: v1
      data:
        vcenter.devqe.ibmc.devcluster.openshift.com.password: xxx
        vcenter.devqe.ibmc.devcluster.openshift.com.username: xxx
        vcsa2-qe.vmware.devcluster.openshift.com.password: xxx
        vcsa2-qe.vmware.devcluster.openshift.com.username: xxx
      (devqe and vcsa2-qe)
      

      Actual results:

      The secret/vmware-vsphere-cloud-credentials is not synced well

      Expected results:

      The secret/vmware-vsphere-cloud-credentials should be synced well

      Additional info:

      Storage vSphere csi driver controller pods are crash looping.

              jstuever@redhat.com Jeremiah Stuever
              openshift-crt-jira-prow OpenShift Prow Bot
              Jianping Shu Jianping Shu
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: