Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-33805

Incorrect form of entrypoint used in Dockerfile.openshift for azure-kubernetes-kms

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • 1
    • Critical
    • No
    • Proposed
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      The creation of an Azure HC with secret encryption failed with
      # azure-kms-provider-active container log (within the KAS pod)
      I0516 09:38:22.860917       1 exporter.go:17] "metrics backend" exporter="prometheus"
      I0516 09:38:22.861178       1 prometheus_exporter.go:56] "Prometheus metrics server running" address="8095"
      I0516 09:38:22.861199       1 main.go:90] "Starting KeyManagementServiceServer service" version="" buildDate=""
      E0516 09:38:22.861439       1 main.go:59] "unrecoverable error encountered" err="failed to create key vault client: key vault name, key name and key version are required"

      How reproducible:

      Always

      Steps to Reproduce:

      1. export RESOURCEGROUP="fxie-1234-rg" LOCATION="eastus" KEYVAULT_NAME="fxie-1234-keyvault" KEYVAULT_KEY_NAME="fxie-1234-key" KEYVAULT_KEY2_NAME="fxie-1234-key-2"
      2. az group create --name $RESOURCEGROUP --location $LOCATION
      3. az keyvault create -n $KEYVAULT_NAME -g $RESOURCEGROUP -l $LOCATION --enable-purge-protection true
      4. az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn fa5abf8d-ed43-4637-93a7-688e2a0efd82
      5. az keyvault key create --vault-name $KEYVAULT_NAME -n $KEYVAULT_KEY_NAME --protection software
      6. KEYVAULT_KEY_URL="$(az keyvault key show --vault-name $KEYVAULT_NAME --name $KEYVAULT_KEY_NAME --query 'key.kid' -o tsv)"
      7. hypershift create cluster azure            --pull-secret $PULL_SECRET            --name $CLUSTER_NAME            --azure-creds $HOME/.azure/osServicePrincipal.json            --node-pool-replicas=1            --location eastus            --base-domain $BASE_DOMAIN    --release-image registry.ci.openshift.org/ocp/release:4.16.0-0.nightly-2024-05-15-001800 --encryption-key-id $KEYVAULT_KEY_URL     

      Root cause:

      The entrypoint statement within azure-kubernetes-kms's Dockerfile is in shell form which prevents any command line arguments from being used. 

              fxierh Feilian Xie (Inactive)
              fxierh Feilian Xie (Inactive)
              None
              None
              Feilian Xie Feilian Xie (Inactive)
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: