Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 4.16.0
Affects Version/s: 4.16
Component/s: Cloud Credential Operator
Labels:
- TestBlocker
- hive-qe

Regression:
No
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Type:
Release Note Not Required
Release Note Status:
In Progress
Target Version:

4.16

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

    Migrate an OpenShift Cluster to Azure AD Workload Identity, it is not have sufficient permissions to apply the Azure Pod Identity webhook configuration.

Version-Release number of selected component (if applicable):

    4.16

How reproducible:

   Always

Steps to Reproduce:

    1. According to the steps provided in the documentation: https://github.com/openshift/cloud-credential-operator/blob/master/docs/azure_workload_identity.md#steps-to-in-place-migrate-an-openshift-cluster-to-azure-ad-workload-identity     
    2. For step10. Failed to apply the azure pod identity webhook configuration.

Actual results:

For step10：
[hmx@fedora CCO]$ oc replace -f ./CCO-456/output_dir/manifests/azure-ad-pod-identity-webhook-config.yaml
 Error from server (NotFound): error when replacing "./CCO-456/output_dir/manifests/azure-ad-pod-identity-webhook-config.yaml": secrets "azure-credentials" not found
   
 [hmx@fedora CCO]$ oc get po -n openshift-cloud-credential-operator  NAME                                         READY   STATUS    RESTARTS   AGE cloud-credential-operator-594bf555b4-6srcq   2/2     Running   0          3h32m 

[hmx@fedora CCO]$ oc logs cloud-credential-operator-594bf555b4-6srcq -n openshift-cloud-credential-operator
Defaulted container "kube-rbac-proxy" out of: kube-rbac-proxy, cloud-credential-operator
Flag --logtostderr has been deprecated, will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components
I0410 06:41:25.490507       1 kube-rbac-proxy.go:285] Valid token audiences: 
I0410 06:41:25.490752       1 kube-rbac-proxy.go:399] Reading certificate files
I0410 06:41:25.491607       1 kube-rbac-proxy.go:447] Starting TCP socket on 0.0.0.0:8443
I0410 06:41:25.492241       1 kube-rbac-proxy.go:454] Listening securely on 0.0.0.0:8443
E0410 06:41:52.996659       1 webhook.go:154] Failed to make webhook authenticator request: Unauthorized
E0410 06:41:52.997568       1 auth.go:47] Unable to authenticate the request due to an error: Unauthorized
E0410 06:42:15.871706       1 webhook.go:154] Failed to make webhook authenticator request: Unauthorized
E0410 06:42:15.871754       1 auth.go:47] Unable to authenticate the request due to an error: Unauthorized

Expected results:

    Apply the azure pod identity webhook configuration successfully.

Additional info:

links to

openshift/cloud-credential-operator#695: OCPBUGS-32026: Docs: Fix migration to azure workload identy to apply the webhook config

Assignee:: Jeremiah Stuever

Reporter:: Mingxia Huang

QA Contact:: Mingxia Huang

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/04/10 10:54 AM

Updated:: 2024/04/29 5:09 PM

Resolved:: 2024/04/25 6:39 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates