-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.15.z, 4.16.z
-
None
-
Hypershift Sprint 260, Hypershift Sprint 261, Hypershift Sprint 262
-
3
-
False
-
Description of problem:
After the ROSA HCP cluster is uninstalled, the default worker Security Groups are not deleted
Version-Release number of selected component (if applicable):
4.15.z
How reproducible:
100%
Steps to Reproduce:
1. Install a ROSA HCP cluster with Private connectivity
2. Create a Security Group in the VPC and add red-hat-managed = true tag so AWS Managed Policies can modify VPC Endpoint
3. Attach Security Group to VPC Endpoint to allow access to the API Server from outside of MachineCIDR range.
4. Delete the cluster
Actual results:
The default worker SG (not modified by the user) is not getting deleted
Expected results:
The default worker SG is cleaned up.
Additional info:
1. AWS Tag is added because AWS Managed Policies allow Control Plane Operator to modify VPC Endpoint only on those resources that have that Tag.
2. Private API Server endpoint are accessible only from MachineCIDR so to access it from private data center or other VPCs, either the new ingress rules must be added to default SG or a new SG with ingress rules must be attached to the VPC Endpoint.
Uninstallation Logs:
$ rosa logs uninstall -c bala-hcp-ing --watchW: The current version (1.2.44) is not up to date with latest released version (1.2.45).W: It is recommended that you update to the latest version.| 2024-09-24 21:14:08 +0000 UTC hostedclusters bala-hcp-ing failed to get controlPlaneOperatorImageLabels: failed to look up image metadata for quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b9934eec496776d9a24916e3318f51977f053af8d509b4d5b34caa92cde6d033: failed to obtain root manifest for quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b9934eec496776d9a24916e3318f51977f053af8d509b4d5b34caa92cde6d033: unable to retrieve source image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b9934eec496776d9a24916e3318f51977f053af8d509b4d5b34caa92cde6d033 manifest #4 from manifest list: received unexpected HTTP status: 502 Bad Gateway2024-09-24 21:14:19 +0000 UTC hostedclusters bala-hcp-ing Reconciliation completed successfully/ 2024-09-24 21:16:58 +0000 UTC hostedclusters bala-hcp-ing Reconciliation completed successfully/ 2024-09-24 21:18:39 +0000 UTC hostedclusters bala-hcp-ing failed to delete security group sg-09f6de92b4c4efb22: DependencyViolation2024-09-24 21:18:40 +0000 UTC hostedclusters bala-hcp-ing Remaining resources: image-registry,loadbalancers,persistent-volumes- 2024-09-24 21:16:58 +0000 UTC hostedclusters bala-hcp-ing Reconciliation completed successfully2024-09-24 21:18:39 +0000 UTC hostedclusters bala-hcp-ing failed to delete security group sg-09f6de92b4c4efb22: DependencyViolation2024-09-24 21:18:40 +0000 UTC hostedclusters bala-hcp-ing Remaining resources: persistent-volumes- 2024-09-24 21:16:58 +0000 UTC hostedclusters bala-hcp-ing Reconciliation completed successfully2024-09-24 21:18:39 +0000 UTC hostedclusters bala-hcp-ing failed to delete security group sg-09f6de92b4c4efb22: DependencyViolation2024-09-24 21:25:19 +0000 UTC hostedclusters bala-hcp-ing All guest resources destroyed2024-09-24 21:25:21 +0000 UTC hostedclusters bala-hcp-ing ValidAWSIdentityProvider StatusUnknown/ I: Cluster 'bala-hcp-ing' completed uninstallation
- relates to
-
RFE-6251 Additional SG support on VPC Endpoint
-
- Under Review
-
