Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-33805

Incorrect form of entrypoint used in Dockerfile.openshift for azure-kubernetes-kms

XMLWordPrintable

    • Critical
    • No
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The creation of an Azure HC with secret encryption failed with
      # azure-kms-provider-active container log (within the KAS pod)
      I0516 09:38:22.860917       1 exporter.go:17] "metrics backend" exporter="prometheus"
      I0516 09:38:22.861178       1 prometheus_exporter.go:56] "Prometheus metrics server running" address="8095"
      I0516 09:38:22.861199       1 main.go:90] "Starting KeyManagementServiceServer service" version="" buildDate=""
      E0516 09:38:22.861439       1 main.go:59] "unrecoverable error encountered" err="failed to create key vault client: key vault name, key name and key version are required"

      How reproducible:

      Always

      Steps to Reproduce:

      1. export RESOURCEGROUP="fxie-1234-rg" LOCATION="eastus" KEYVAULT_NAME="fxie-1234-keyvault" KEYVAULT_KEY_NAME="fxie-1234-key" KEYVAULT_KEY2_NAME="fxie-1234-key-2"
      2. az group create --name $RESOURCEGROUP --location $LOCATION
      3. az keyvault create -n $KEYVAULT_NAME -g $RESOURCEGROUP -l $LOCATION --enable-purge-protection true
      4. az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn fa5abf8d-ed43-4637-93a7-688e2a0efd82
      5. az keyvault key create --vault-name $KEYVAULT_NAME -n $KEYVAULT_KEY_NAME --protection software
      6. KEYVAULT_KEY_URL="$(az keyvault key show --vault-name $KEYVAULT_NAME --name $KEYVAULT_KEY_NAME --query 'key.kid' -o tsv)"
      7. hypershift create cluster azure            --pull-secret $PULL_SECRET            --name $CLUSTER_NAME            --azure-creds $HOME/.azure/osServicePrincipal.json            --node-pool-replicas=1            --location eastus            --base-domain $BASE_DOMAIN    --release-image registry.ci.openshift.org/ocp/release:4.16.0-0.nightly-2024-05-15-001800 --encryption-key-id $KEYVAULT_KEY_URL     

      Root cause:

      The entrypoint statement within azure-kubernetes-kms's Dockerfile is in shell form which prevents any command line arguments from being used. 

              fxierh Feilian Xie
              fxierh Feilian Xie
              Feilian Xie Feilian Xie
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: