Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: 4.16.0
Affects Version/s: 4.16.0, 4.17.0
Component/s: HyperShift
Labels:
- hypershift-qe
- triaged

Severity:
Critical
Regression:
No
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* Previously, the `azure-kms-provider-active` container in the KAS pod used an entrypoint statement in shell form in the Dockerfile. As a consequence, the container failed. To resolve this issue, use the `exec` form for the entrypoint statement. (link:https://issues.redhat.com/browse/OCPBUGS-33940[*~~OCPBUGS-33940~~]*)

Show
* Previously, the `azure-kms-provider-active` container in the KAS pod used an entrypoint statement in shell form in the Dockerfile. As a consequence, the container failed. To resolve this issue, use the `exec` form for the entrypoint statement. (link: https://issues.redhat.com/browse/OCPBUGS-33940 [* OCPBUGS-33940 ]*)
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.16.0
Target Backport Versions:

4.16.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue OCPBUGS-33805. The following is the description of the original issue:
—
Description of problem:

The creation of an Azure HC with secret encryption failed with
# azure-kms-provider-active container log (within the KAS pod)
I0516 09:38:22.860917       1 exporter.go:17] "metrics backend" exporter="prometheus"
I0516 09:38:22.861178       1 prometheus_exporter.go:56] "Prometheus metrics server running" address="8095"
I0516 09:38:22.861199       1 main.go:90] "Starting KeyManagementServiceServer service" version="" buildDate=""
E0516 09:38:22.861439       1 main.go:59] "unrecoverable error encountered" err="failed to create key vault client: key vault name, key name and key version are required"

How reproducible:

Always

Steps to Reproduce:

1. export RESOURCEGROUP="fxie-1234-rg" LOCATION="eastus" KEYVAULT_NAME="fxie-1234-keyvault" KEYVAULT_KEY_NAME="fxie-1234-key" KEYVAULT_KEY2_NAME="fxie-1234-key-2"
2. az group create --name $RESOURCEGROUP --location $LOCATION
3. az keyvault create -n $KEYVAULT_NAME -g $RESOURCEGROUP -l $LOCATION --enable-purge-protection true
4. az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn fa5abf8d-ed43-4637-93a7-688e2a0efd82
5. az keyvault key create --vault-name $KEYVAULT_NAME -n $KEYVAULT_KEY_NAME --protection software
6. KEYVAULT_KEY_URL="$(az keyvault key show --vault-name $KEYVAULT_NAME --name $KEYVAULT_KEY_NAME --query 'key.kid' -o tsv)"
7. hypershift create cluster azure            --pull-secret $PULL_SECRET            --name $CLUSTER_NAME            --azure-creds $HOME/.azure/osServicePrincipal.json            --node-pool-replicas=1            --location eastus            --base-domain $BASE_DOMAIN    --release-image registry.ci.openshift.org/ocp/release:4.16.0-0.nightly-2024-05-15-001800 --encryption-key-id $KEYVAULT_KEY_URL

Root cause:

The entrypoint statement within azure-kubernetes-kms's Dockerfile is in shell form which prevents any command line arguments from being used.

clones

OCPBUGS-33805 Incorrect form of entrypoint used in Dockerfile.openshift for azure-kubernetes-kms

Verified

is blocked by

OCPBUGS-33805 Incorrect form of entrypoint used in Dockerfile.openshift for azure-kubernetes-kms

Verified

links to

openshift/azure-kubernetes-kms#6: [release-4.16] OCPBUGS-33940: Use exec form entrypoint

RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

Assignee:: Feilian Xie

Reporter:: OpenShift Prow Bot

QA Contact:: Feilian Xie

Doc Contact:: Laura Hinson

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/05/20 8:42 AM

Updated:: 2024/06/27 11:48 AM

Resolved:: 2024/06/27 11:48 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates