Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.19.0
Affects Version/s: 4.17, 4.18
Component/s: Installer / openshift-installer
Labels:
- triaged

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
None

Target Backport Versions:

4.17.z, 4.18.z
Target Version:

4.19.0
Release Blocker:
Rejected
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Previously, when destroying a cluster that was installed on {azure-first}, the inbound NAT rules and security groups for the bootstrap node were not deleted. With this update, the correct resource group ensures that all resources are deleted when the cluster is destroyed. (link:https://issues.redhat.com/browse/OCPBUGS-45429[~~OCPBUGS-45429~~])

Show
* Previously, when destroying a cluster that was installed on {azure-first}, the inbound NAT rules and security groups for the bootstrap node were not deleted. With this update, the correct resource group ensures that all resources are deleted when the cluster is destroyed. (link: https://issues.redhat.com/browse/OCPBUGS-45429 [ OCPBUGS-45429 ])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Install cluster in existing resource group, 

After bootstrap server is destroyed, inboundNatRule ssh_in in external load balancer is not deleted. ssh nsg rule is also leftover in nsg.

$ az network lb list -g ci-op-vq47c2zq-11f79-rg -otable
Location    Name                                 ProvisioningState    ResourceGroup            ResourceGuid
----------  -----------------------------------  -------------------  -----------------------  ------------------------------------
centralus   ci-op-vq47c2zq-11f79-xhl4q           Succeeded            ci-op-vq47c2zq-11f79-rg  282960e6-014e-4abe-8f61-2782cd82ca82
centralus   ci-op-vq47c2zq-11f79-xhl4q-internal  Succeeded            ci-op-vq47c2zq-11f79-rg  0e3afbf2-f2b2-4f59-8771-ccef9457fd90

$ az network lb inbound-nat-rule list --lb-name ci-op-vq47c2zq-11f79-xhl4q -g ci-op-vq47c2zq-11f79-rg -otable
BackendPort    EnableFloatingIP    EnableTcpReset    FrontendPort    IdleTimeoutInMinutes    Name                               Protocol    ProvisioningState    ResourceGroup
-------------  ------------------  ----------------  --------------  ----------------------  ---------------------------------  ----------  -------------------  -----------------------
22             False               False             22              4                       ci-op-vq47c2zq-11f79-xhl4q_ssh_in  Tcp         Succeeded            ci-op-vq47c2zq-11f79-rg
    

$ az network nsg rule list --nsg-name ci-op-vq47c2zq-11f79-xhl4q-nsg -g ci-op-vq47c2zq-11f79-rg -otable
Name                                                      ResourceGroup            Priority    SourcePortRanges    SourceAddressPrefixes    SourceASG    Access    Protocol    Direction    DestinationPortRanges    DestinationAddressPrefixes    DestinationASG
--------------------------------------------------------  -----------------------  ----------  ------------------  -----------------------  -----------  --------  ----------  -----------  -----------------------  ----------------------------  ----------------
apiserver_in                                              ci-op-vq47c2zq-11f79-rg  101         *                   *                        None         Allow     Tcp         Inbound      6443                     *                             None
ci-op-vq47c2zq-11f79-xhl4q_ssh_in                         ci-op-vq47c2zq-11f79-rg  220         *                   *                        None         Allow     Tcp         Inbound      22                       *                             None
k8s-azure-lb_allow_IPv4_556f7044ec033071ec0dfcf7cd85bc93  ci-op-vq47c2zq-11f79-rg  500         *                   Internet                 None         Allow     Tcp         Inbound      443 80                   48.214.241.65                 None

Version-Release number of selected component (if applicable):

    4.18 nightly build

How reproducible:

    Always

Steps to Reproduce:

    1. Specify platform.azure.resourceGroupName to pre-created resource group name in install-config
    2. Install cluster
    3.

Actual results:

    InboundNatRule in external load balancer and ssh nsg rule in nsg are leftover after bootstrap server is deleted.

Expected results:

    All resources associated with bootstrap should be removed after bootstrap server is destroyed.

Additional info:

   Look like that resource group name is hard-coded as "<infrad-id>-rg" in post destroy, see code: https://github.com/openshift/installer/blob/master/pkg/infrastructure/azure/azure.go#L717

links to

openshift/installer#9487: OCPBUGS-45429: Set the right resource group in bootstrap destroy

RHEA-2024:11038 OpenShift Container Platform 4.19.z bug fix update

Assignee:: Aditya Narayanaswamy

Reporter:: Jinyun Ma

Need Info From:: None

Contributors:: None

QA Contact:: Jinyun Ma

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/12/04 6:54 AM

Updated:: 2025/07/18 1:22 PM

Resolved:: 2025/06/17 4:53 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide