Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.17.0
Component/s: Installer / openshift-installer
Labels:
- TestBlocker

Severity:
Important
Regression:
None
Epic Link:
Provision GCP with CAPI
Sprint:
Installer Sprint 257, Installer (PB) Sprint 258
sprint_count:
2
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:
N/A
Release Note Type:
Release Note Not Required
Release Note Status:
Done
Target Version:

4.17.0
Target Backport Versions:

4.17.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue OCPBUGS-38152. The following is the description of the original issue:
—
Description of problem:

    Shared VPC installation using service account having all required permissions failed due to cluster operator ingress degraded, by telling error "error getting load balancer's firewall: googleapi: Error 403: Required 'compute.firewalls.get' permission for 'projects/openshift-qe-shared-vpc/global/firewalls/k8s-fw-a5b1f420669b3474d959cff80e8452dc'"

Version-Release number of selected component (if applicable):

    4.17.0-0.nightly-multi-2024-08-07-221959

How reproducible:

    Always

Steps to Reproduce:

1. "create install-config", then insert the interested settings (see [1])
2. "create cluster" (see [2])

Actual results:

    Installation failed, because cluster operator ingress degraded (see [2] and [3]). 

$ oc get co ingress
NAME      VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
ingress             False       True          True       113m    The "default" ingress controller reports Available=False: IngressControllerUnavailable: One or more status conditions indicate unavailable: LoadBalancerReady=False (SyncLoadBalancerFailed: The service-controller component is reporting SyncLoadBalancerFailed events like: Error syncing load balancer: failed to ensure load balancer: error getting load balancer's firewall: googleapi: Error 403: Required 'compute.firewalls.get' permission for 'projects/openshift-qe-shared-vpc/global/firewalls/k8s-fw-a5b1f420669b3474d959cff80e8452dc', forbidden...
$ 

In fact the mentioned k8s firewall-rule doesn't exist in the host project (see [4]), and, the given service account does have enough permissions (see [6]).

Expected results:

    Installation succeeds, and all cluster operators are healthy.

Additional info:

clones

OCPBUGS-38152 [GCP CAPI install] Shared VPC installation using service account having all required permissions failed due to cluster operator ingress degraded

Verified

is blocked by

OCPBUGS-38152 [GCP CAPI install] Shared VPC installation using service account having all required permissions failed due to cluster operator ingress degraded

Verified

links to

openshift/installer#8866: [release-4.17] OCPBUGS-38246: Add roles needed for shared VPC

RHEA-2024:3718 OpenShift Container Platform 4.17.z bug fix update

Assignee:: Robert Fournier

Reporter:: OpenShift Prow Bot

QA Contact:: Jianli Wei

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/08/09 2:13 PM

Updated:: 2024/10/01 5:41 PM

Resolved:: 2024/10/01 5:41 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates