[OCPBUGS-38152] [GCP CAPI install] Shared VPC installation using service account having all required permissions failed due to cluster operator ingress degraded - Red Hat Issue Tracker

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.17.0
Component/s: Installer / openshift-installer
Labels:

Severity:
Important
Regression:
None
Epic Link:
Provision GCP with CAPI
Sprint:
Installer Sprint 257, Installer (PB) Sprint 258
sprint_count:
2
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Type:
Release Note Not Required
Release Note Status:
In Progress
Target Version:

4.18.0
Target Backport Versions:

4.17.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

    Shared VPC installation using service account having all required permissions failed due to cluster operator ingress degraded, by telling error "error getting load balancer's firewall: googleapi: Error 403: Required 'compute.firewalls.get' permission for 'projects/openshift-qe-shared-vpc/global/firewalls/k8s-fw-a5b1f420669b3474d959cff80e8452dc'"

Version-Release number of selected component (if applicable):

    4.17.0-0.nightly-multi-2024-08-07-221959

How reproducible:

    Always

Steps to Reproduce:

1. "create install-config", then insert the interested settings (see [1])
2. "create cluster" (see [2])

Actual results:

    Installation failed, because cluster operator ingress degraded (see [2] and [3]). 

$ oc get co ingress
NAME      VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
ingress             False       True          True       113m    The "default" ingress controller reports Available=False: IngressControllerUnavailable: One or more status conditions indicate unavailable: LoadBalancerReady=False (SyncLoadBalancerFailed: The service-controller component is reporting SyncLoadBalancerFailed events like: Error syncing load balancer: failed to ensure load balancer: error getting load balancer's firewall: googleapi: Error 403: Required 'compute.firewalls.get' permission for 'projects/openshift-qe-shared-vpc/global/firewalls/k8s-fw-a5b1f420669b3474d959cff80e8452dc', forbidden...
$ 

In fact the mentioned k8s firewall-rule doesn't exist in the host project (see [4]), and, the given service account does have enough permissions (see [6]).

Expected results:

    Installation succeeds, and all cluster operators are healthy.

Additional info:

blocks

OCPBUGS-38246 [GCP CAPI install] Shared VPC installation using service account having all required permissions failed due to cluster operator ingress degraded

Closed

is cloned by

OCPBUGS-38246 [GCP CAPI install] Shared VPC installation using service account having all required permissions failed due to cluster operator ingress degraded

Closed

is related to

OCPBUGS-38689 [gcp] uninstalling failed to delete k8s firewall-rules for a Shared VPC installation using minimum permissions

Closed

relates to

CORS-3525 Provision GCP with CAPI (GA)

Closed

links to

openshift/installer#8815: OCPBUGS-38152: Add roles needed for shared VPC

RHEA-2024:6122 OpenShift Container Platform 4.18.z bug fix update

(1 links to)

Assignee:: Robert Fournier

Reporter:: Jianli Wei

QA Contact:: Jianli Wei

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/08/08 8:13 AM

Updated:: 2025/02/25 4:45 AM

Resolved:: 2025/02/25 4:45 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates