Description of problem:
The operator cannot succeed removing resources when networkAccess is set to Removed. It looks like the authorization error changes from bloberror.AuthorizationPermissionMismatch to bloberror.AuthorizationFailure after the storage account becomes private (networkAccess: Internal). This is either caused by weird behavior in the azure sdk, or in the azure api itself. The easiest way to solve it is to also handle bloberror.AuthorizationFailure here: https://github.com/openshift/cluster-image-registry-operator/blob/master/pkg/storage/azure/azure.go?plain=1#L1145 The error condition is the following: status: conditions: - lastTransitionTime: "2024-09-27T09:04:20Z" message: "Unable to delete storage container: DELETE https://imageregistrywxj927q6bpj.blob.core.windows.net/wxj-927d-jv8fc-image-registry-rwccleepmieiyukdxbhasjyvklsshhee\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation.\nERROR CODE: AuthorizationFailure\n--------------------------------------------------------------------------------\n\uFEFF<?xml version=\"1.0\" encoding=\"utf-8\"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.\nRequestId:ababfe86-301e-0005-73bd-10d7af000000\nTime:2024-09-27T09:10:46.1231255Z</Message></Error>\n--------------------------------------------------------------------------------\n" reason: AzureError status: Unknown type: StorageExists - lastTransitionTime: "2024-09-27T09:02:26Z" message: The registry is removed reason: Removed status: "True" type: Available
Version-Release number of selected component (if applicable):
4.18, 4.17, 4.16 (needs confirmation), 4.15 (needs confirmation)
How reproducible:
Always
Steps to Reproduce:
1. Get an Azure cluster 2. In the operator config, set networkAccess to Internal 3. Wait until the operator reconciles the change (watch networkAccess in status with `oc get configs.imageregistry/cluster -oyaml |yq '.status.storage'`) 4. In the operator config, set management state to removed: `oc patch configs.imageregistry/cluster -p '{"spec":{"managementState":"Removed"}}' --type=merge` 5. Watch the cluster operator conditions for the error
Actual results:
Expected results:
Additional info:
- blocks
-
OCPBUGS-43350 Image registry operator becomes degraded when setting management state to Removed when networkAccess is set to Internal
- Closed
- is cloned by
-
OCPBUGS-43350 Image registry operator becomes degraded when setting management state to Removed when networkAccess is set to Internal
- Closed
- relates to
-
OCPBUGS-42196 Azure private account setup with vnet discovery fails to find vnet by tag
- Verified
- links to
-
RHEA-2024:6122 OpenShift Container Platform 4.18.z bug fix update