Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44671

GCP MAPI seemingly reconciles MachineSet with incompatible shieldedInstanceConfig

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • ?
    • Done
    • Bug Fix
    • Hide
      * Previously, {gcp-short} clusters that used non-UEFI disks failed to load. This release adds a check to ensure that disks are UEFI-compatible before enabling features that require UEFI, such as secure boot. As a result, non-UEFI disks can be used if needed. This change adds new permissions requirements for `compute.images.get` and `compute.images.getFromFamily`. (link:https://issues.redhat.com/browse/OCPBUGS-44671[OCPBUGS-44671])
      Show
      * Previously, {gcp-short} clusters that used non-UEFI disks failed to load. This release adds a check to ensure that disks are UEFI-compatible before enabling features that require UEFI, such as secure boot. As a result, non-UEFI disks can be used if needed. This change adds new permissions requirements for `compute.images.get` and `compute.images.getFromFamily`. (link: https://issues.redhat.com/browse/OCPBUGS-44671 [ OCPBUGS-44671 ])

      Description of problem:

      Following a 4.12.53 > 4.13.48 > 4.14.35 cluster upgrade path, a customer scaled up one of their cluster's MachineSets, at while points their spotted the following error:

"ocp-lmwfc-infra-westeurope3b-8c48v: reconciler failed to Create machine: error launching instance: googleapi: Error 400: Invalid value for field 'resource.shieldedInstanceConfig': '{ "enableVtpm": true, "enableIntegrityMonitoring": true}'. Shielded VM Config can only be set when using a UEFI-compatible disk., invalid"

At that point their noticed the following new parameters in their machineSet: `.spec.template.spec.providerSpec.value.shieldedInstanceConfig`

The above seems to be related to commit 8bc61bd, introduced in RHOCP 4.13:
- https://github.com/openshift/machine-api-provider-gcp/commit/8bc61bddf5cf01fce2462808afad3ab4e773c13e
- https://issues.redhat.com/browse/OCPSTRAT-632

      Version-Release number of selected component (if applicable):

      4.14.35

      Actual results:

      As of now, shieldedInstanceConfig seems to be reconciled automátically into the MachineSet, even when the cluster may be using non UEFI-compatible disks

      Expected results:

      shieldedInstanceConfig to only be enabled when the cluster is using UEFI-compatible disks

      Additional info:

      - The customer workaround this, by disabling VTPM & IntegrityMonitoring in their MachineSet ShieldedInstanceConfig
- The `compute-api.json` seems to suggest shieldedInstanceConfig is enabled by default (which breaks compatibility with non UEFI-compatible disks:
$ curl -s https://raw.githubusercontent.com/openshift/machine-api-provider-gcp/refs/heads/release-4.13/vendor/google.golang.org/api/compute/v1/compute-api.json | sed -n '61048,61066p'
    "ShieldedInstanceConfig": {
      "description": "A set of Shielded Instance options.",
      "id": "ShieldedInstanceConfig",
      "properties": {
        "enableIntegrityMonitoring": {
          "description": "Defines whether the instance has integrity monitoring enabled. Enabled by default.",   <<<----------
          "type": "boolean"
        },
        "enableSecureBoot": {
          "description": "Defines whether the instance has Secure Boot enabled. Disabled by default.",
          "type": "boolean"
        },
        "enableVtpm": {
          "description": "Defines whether the instance has the vTPM enabled. Enabled by default.",   <<<----------
          "type": "boolean"
        }
      },
      "type": "object"
    },

        1. image-2024-11-19-13-38-52-805.png
          image-2024-11-19-13-38-52-805.png
          227 kB

              rh-ee-tbarberb Theo Barber-Bany
              rhn-support-rsandu Robert Sandu
              None
              None
              Milind Yadav Milind Yadav
              None
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: