Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-42196

Azure private account setup with vnet discovery fails to find vnet by tag

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.17, 4.18
    • Image Registry
    • +
    • None
    • False
    • Hide

      None

      Show
      None
    • Hide
      In OpenShift 4.17, openshift installs with openshift installer by default use the cluster api. Virtual networks created by the cluster api use a different tag template. With this change, the image registry operator attempts to discover by this new tag template, as well as the previous tag template.
      Show
      In OpenShift 4.17, openshift installs with openshift installer by default use the cluster api. Virtual networks created by the cluster api use a different tag template. With this change, the image registry operator attempts to discover by this new tag template, as well as the previous tag template.
    • Bug Fix
    • In Progress

      Description of problem:

          When setting .spec.storage.azure.networkAccess.type: Internal (without providing vnet and subnet names), the image registry will attempt to discover the vnet by tag. 
      
      Previous to the installer switching to cluster-api, the vnet tagging happened here: https://github.com/openshift/installer/blob/10951c555dec2f156fad77ef43b9fb0824520015/pkg/asset/cluster/azure/azure.go#L79-L92.
      
      After the switch to cluster-api, this code no longer seems to be in use, so the tags are no longer there.
      
      From inspection of a failed job, the new tags in use seem to be in the form of `sigs.k8s.io_cluster-api-provider-azure_cluster_$infraID` instead of the previous `kubernetes.io_cluster.$infraID`.
      
      Image registry operator code responsible for this: https://github.com/openshift/cluster-image-registry-operator/blob/master/pkg/storage/azure/azure.go?plain=1#L678-L682
      
      More details in slack discussion with installer team: https://redhat-internal.slack.com/archives/C68TNFWA2/p1726732108990319

      Version-Release number of selected component (if applicable):

          4.17, 4.18

      How reproducible:

          Always

      Steps to Reproduce:

          1. Get an Azure 4.17 or 4.18 cluster
          2. oc edit configs.imageregistry/cluster
          3. set .spec.storage.azure.networkAccess.type to Internal  

      Actual results:

          The operator cannot find the vnet (look for "not found" in operator logs)

      Expected results:

          The operator should be able to find the vnet by tag and configure the storage account as private

      Additional info:

      If we make the switch to look for vnet tagged with `sigs.k8s.io_cluster-api-provider-azure_cluster_$infraID`, one thing that needs to be tested is BYO vnet/subnet clusters. What I have currently observed in CI is that the cluster has the new tag key with `owned` value, but for BYO networks the value *should* be `shared`, but I have not tested it.
      ---
      
      Although this bug is a regression, I'm not going to mark it as such because this affects a fairly new feature (introduced on 4.15), and there's a very easy workaround (manually setting the vnet and subnet names when configuring network access to internal).

       

              fmissi Flavian Missi
              fmissi Flavian Missi
              XiuJuan Wang XiuJuan Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: