-
Bug
-
Resolution: Done-Errata
-
Critical
-
None
-
4.16, 4.17
Description of problem:
For STS, an AWS creds file is injected with credentials_process for installer to use. That usually points to a command that loads a Secret containing the creds necessary to assume role. For CAPI, installer runs in an ephemeral envtest cluster. So when it runs that credentials_process (via the black box of passing the creds file to the AWS SDK) the command ends up requesting that Secret from the envtest kube API server… where it doesn’t exist. The Installer should avoid overriding KUBECONFIG whenever possible.
Version-Release number of selected component (if applicable):
4.16+
How reproducible:
always
Steps to Reproduce:
1. Deploy cluster with STS credentials 2. 3.
Actual results:
Install fails with: time="2024-06-02T23:50:17Z" level=debug msg="failed to get the service provider secret: secrets \"shawnnightly-aws-service-provider-secret\" not foundfailed to get the service provider secret: oc get events -n uhc-staging-2blaesc1478urglmcfk3r79a17n82lm3E0602 23:50:17.324137 151 awscluster_controller.go:327] \"failed to reconcile network\" err=<" time="2024-06-02T23:50:17Z" level=debug msg="\tfailed to create new managed VPC: failed to create vpc: ProcessProviderExecutionError: error in credential_process" time="2024-06-02T23:50:17Z" level=debug msg="\tcaused by: exit status 1" time="2024-06-02T23:50:17Z" level=debug msg=" > controller=\"awscluster\" controllerGroup=\"infrastructure.cluster.x-k8s.io\" controllerKind=\"AWSCluster\" AWSCluster=\"openshift-cluster-api-guests/shawnnightly-c8zdl\" namespace=\"openshift-cluster-api-guests\" name=\"shawnnightly-c8zdl\" reconcileID=\"e7524343-f598-4b71-a788-ad6975e92be7\" cluster=\"openshift-cluster-api-guests/shawnnightly-c8zdl\"" time="2024-06-02T23:50:17Z" level=debug msg="I0602 23:50:17.324204 151 recorder.go:104] \"Failed to create new managed VPC: ProcessProviderExecutionError: error in credential_process\\ncaused by: exit status 1\" logger=\"events\" type=\"Warning\" object={\"kind\":\"AWSCluster\",\"namespace\":\"openshift-cluster-api-guests\",\"name\":\"shawnnightly-c8zdl\",\"uid\":\"f20bd7ae-a8d2-4b16-91c2-c9525256bb46\",\"apiVersion\":\"infrastructure.cluster.x-k8s.io/v1beta2\",\"resourceVersion\":\"311\"} reason=\"FailedCreateVPC\""
Expected results:
No failures
Additional info:
- blocks
-
OCPBUGS-35243 [capi aws] installs fail with STS credentials
- Closed
- is cloned by
-
OCPBUGS-35243 [capi aws] installs fail with STS credentials
- Closed
- is duplicated by
-
HIVE-2529 4.16 capi install will fail for STS
- Closed
- links to
-
RHEA-2024:3718 OpenShift Container Platform 4.17.z bug fix update