Normal Description of problem:
When creating an Hosted Cluster with KMS Custom encryption in AWS HyperShift has a validation and then fills accordingly the ValidAWSKMSConfig.
This requires a SA token that is retrieved from the admin-kubeconfig.
But it doesn't contain the custom CA set on the API server (see OCPBUGS-8101).
in ROSA HCP we are setting Let's Encrypt.
This result in the condition failing on x509 because the admin-kubeconfig has been generated at startup with a self signed CA.
So in the condition we get
{
"lastTransitionTime": "2025-01-30T10:16:29Z",
"message": "failed to create token for KMS provider service account: failed to get serviceaccount: Get \"https://api.ad-int1.clpp.i3.devshift.org:443/api/v1/namespaces/kube-system/serviceaccounts/kms-provider\": EOF",
"observedGeneration": 1,
"reason": "StatusUnknown",
"status": "Unknown",
"type": "ValidAWSKMSConfig"
},
This hides the rest of the validation so errors like bad KMS ARN are not bubbled up in the HostedCluster. Also the successful condition is not visible.
Version-Release number of selected component (if applicable):
4.16,4.17
How reproducible:
Always
Steps to Reproduce:
1. Create HC on AWS with custom KMS arn but AWS roles can't access it
2. Check HC conditions
3.
Actual results:
x509 error
Expected results:
something like failed to decrypt AccessDeniedException: User: arn:aws:sts::765374464689:assumed-role/ad-int1-i2c3-kube-system-kms-provider/1738239490285587015 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-west-2:765374464689:key/49d275b0-4a04-4e79-a2b1-6fe87faf518e because no identity-based policy allows the kms:Decrypt action
Additional info: