Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-42394

Azure private account setup with vnet discovery fails to find vnet by tag

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • None
    • 4.17, 4.18
    • Image Registry
    • None
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the Cluster API used an unsupported tag template for a virtual network installation when compared with the default non-cluster-API-provisioned installation. This caused the Image Registry Operator to enter a degraded state when configured with `networkAccess: Internal`. With this release, the Image Registry Operator now supports both tag templates so that this issue no longer exists. (link:https://issues.redhat.com/browse/OCPBUGS-42394[*OCPBUGS-42394*])
      Show
      * Previously, the Cluster API used an unsupported tag template for a virtual network installation when compared with the default non-cluster-API-provisioned installation. This caused the Image Registry Operator to enter a degraded state when configured with `networkAccess: Internal`. With this release, the Image Registry Operator now supports both tag templates so that this issue no longer exists. (link: https://issues.redhat.com/browse/OCPBUGS-42394 [* OCPBUGS-42394 *])
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-42196. The following is the description of the original issue:

      Description of problem:

          When setting .spec.storage.azure.networkAccess.type: Internal (without providing vnet and subnet names), the image registry will attempt to discover the vnet by tag. 

Previous to the installer switching to cluster-api, the vnet tagging happened here: https://github.com/openshift/installer/blob/10951c555dec2f156fad77ef43b9fb0824520015/pkg/asset/cluster/azure/azure.go#L79-L92.

After the switch to cluster-api, this code no longer seems to be in use, so the tags are no longer there.

From inspection of a failed job, the new tags in use seem to be in the form of `sigs.k8s.io_cluster-api-provider-azure_cluster_$infraID` instead of the previous `kubernetes.io_cluster.$infraID`.

Image registry operator code responsible for this: https://github.com/openshift/cluster-image-registry-operator/blob/master/pkg/storage/azure/azure.go?plain=1#L678-L682

More details in slack discussion with installer team: https://redhat-internal.slack.com/archives/C68TNFWA2/p1726732108990319

      Version-Release number of selected component (if applicable):

          4.17, 4.18

      How reproducible:

          Always

      Steps to Reproduce:

          1. Get an Azure 4.17 or 4.18 cluster
    2. oc edit configs.imageregistry/cluster
    3. set .spec.storage.azure.networkAccess.type to Internal 

      Actual results:

          The operator cannot find the vnet (look for "not found" in operator logs)

      Expected results:

          The operator should be able to find the vnet by tag and configure the storage account as private

      Additional info:

      If we make the switch to look for vnet tagged with `sigs.k8s.io_cluster-api-provider-azure_cluster_$infraID`, one thing that needs to be tested is BYO vnet/subnet clusters. What I have currently observed in CI is that the cluster has the new tag key with `owned` value, but for BYO networks the value *should* be `shared`, but I have not tested it.
---

Although this bug is a regression, I'm not going to mark it as such because this affects a fairly new feature (introduced on 4.15), and there's a very easy workaround (manually setting the vnet and subnet names when configuring network access to internal).

       

            fmissi Flavian Missi
            openshift-crt-jira-prow OpenShift Prow Bot
            XiuJuan Wang XiuJuan Wang
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: