Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-24249

[alibabacloud] "oc adm" extracting credentials requests with options "--included" and "--install-config" won't extract machine-api operator's CR

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.14.z, 4.15.0, 4.16
    • oc / update
    • Important
    • No
    • 5
    • OTA 246, OTA 247, OTA 255
    • 3
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Version-Release number of selected component (if applicable): 4.14.0-0.nightly-2023-11-29-234603

      How reproducible: Always.

      Steps to Reproduce:
      1. "create install-config" for platform alibabacloud
      2. (optional) insert "credentialsMode: Manual" into install-config.yaml
      3. use "oc adm" to extract credentials requests, with the options "-included" and "-install-config", please refer to https://github.com/openshift/release/blob/master/ci-operator/step-registry/ipi/conf/alibabacloud/cloud-creds-provision/ipi-conf-alibabacloud-cloud-creds-provision-commands.sh#L54

      Actual results:
      There are only 3 credentials requests extracted, missing "0000_30_machine-api-operator_00_credentials-request.yaml".
      0000_50_cluster-image-registry-operator_01-registry-credentials-request-alibaba.yaml
      0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml
      0000_50_cluster-storage-operator_03_credentials_request_alibaba.yaml

      Expected results:
      There are 4 credentials requests extracted, including, 
      0000_30_machine-api-operator_00_credentials-request.yaml
      0000_50_cluster-image-registry-operator_01-registry-credentials-request-alibaba.yaml
      0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml
      0000_50_cluster-storage-operator_03_credentials_request_alibaba.yaml

      Additional info:
      (1) Some problem jobs: 
      PROW CI one - https://qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gs/qe-private-deck/logs/periodic-ci-openshift-openshift-tests-private-release-4.14-amd64-nightly-alibaba-ipi-private-fips-f28-ui/1725880253001240576

      My debug one - https://qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gs/qe-private-deck/pr-logs/pull/openshift_release/45631/rehearse-45631-periodic-ci-openshift-openshift-tests-private-release-4.14-amd64-nightly-alibaba-ipi-private-fips-f28/1730145916691681280

      (2) If without the options "-included" and "-install-config", all the 4 credentials requests would be extracted, e.g. see https://gcsweb-qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/qe-private-deck/pr-logs/pull/openshift_release/45631/rehearse-45631-periodic-ci-openshift-verification-tests-master-installer-rehearse-4.14-installer-rehearse-alibabacloud/1730146502245879808/artifacts/installer-rehearse-alibabacloud/ipi-conf-alibabacloud-cloud-creds-provision/build-log.txt (where ADDITIONAL_OC_EXTRACT_ARGS is empty).

      (3) Using "oc adm" to extract credentials requests with the options "-included" and "-install-config" for cloud "gcp" has no issue, e.g. see https://gcsweb-qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/qe-private-deck/logs/periodic-ci-openshift-openshift-tests-private-release-4.14-amd64-stable-gcp-ipi-disconnected-private-workload-identity-f14/1727641488721973248/artifacts/gcp-ipi-disconnected-private-workload-identity-f14/ipi-conf-gcp-oidc-creds-provision/build-log.txt

      (4) the credentials requests of MachineAPI, for cloud "alibabacloud" and "gcp" respectively

      apiVersion: cloudcredential.openshift.io/v1
      kind: CredentialsRequest
      metadata:
        annotations:
          capability.openshift.io/name: MachineAPI
        name: openshift-machine-api-alibabacloud
        namespace: openshift-cloud-credential-operator
      spec:
        providerSpec:
          apiVersion: cloudcredential.openshift.io/v1
          kind: AlibabaCloudProviderSpec
          statementEntries:
          - action:
            - ecs:DeleteInstances
            - ecs:DescribeImages
            - ecs:DescribeInstances
            - ecs:DescribeSecurityGroups
            - ecs:RunInstances
            - ecs:StopInstances
            - ecs:TagResources
            effect: Allow
            resource: '*'
          - action:
            - vpc:DescribeVpcs
            - vpc:DescribeVSwitches
            - ram:PassRole
            effect: Allow
            resource: '*'
        secretRef:
          name: alibabacloud-credentials
          namespace: openshift-machine-api


      apiVersion: cloudcredential.openshift.io/v1
      kind: CredentialsRequest
      metadata:
        annotations:
          capability.openshift.io/name: MachineAPI
          exclude.release.openshift.io/internal-openshift-hosted: "true"
          include.release.openshift.io/self-managed-high-availability: "true"
        labels:
          controller-tools.k8s.io: "1.0"
        name: openshift-machine-api-gcp
        namespace: openshift-cloud-credential-operator
      spec:
        providerSpec:
          apiVersion: cloudcredential.openshift.io/v1
          kind: GCPProviderSpec
          predefinedRoles:
          - roles/compute.admin
          - roles/iam.serviceAccountUser
        secretRef:
          name: gcp-cloud-credentials
          namespace: openshift-machine-api
        serviceAccountNames:
        - machine-api-controllers

      (5) We've seen the issue with both 4.14 and 4.15.

            trking W. Trevor King
            rhn-support-jiwei Jianli Wei
            ying zhou ying zhou
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: