Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-52203

[GCP] with valid encryptionKey.kmsKey.keyRing, the installer always tells "failed to find key ring"

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • Yes
    • None
    • Proposed
    • None
    • Done
    • Bug Fix
    • Hide
      * Previously, when installing a cluster on {gcp-short} with a user-provided encryption key, the installation program could fail to find the key ring. With this update, the installation program finds the user-provided encryption key ring so the installation does not fail. link:https://issues.redhat.com/browse/OCPBUGS-52203[OCPBUGS-52203]
      Show
      * Previously, when installing a cluster on {gcp-short} with a user-provided encryption key, the installation program could fail to find the key ring. With this update, the installation program finds the user-provided encryption key ring so the installation does not fail. link: https://issues.redhat.com/browse/OCPBUGS-52203 [ OCPBUGS-52203 ]
    • None
    • None
    • None
    • None

      Description of problem:

          With valid encryptionKey.kmsKey.keyRing, the installer always tells "failed to find key ring".

      Version-Release number of selected component (if applicable):

          4.19.0-0.nightly-multi-2025-03-02-183028

      How reproducible:

          Always

      Steps to Reproduce:

          1. "create install-config", then edit the install-config.yaml to insert platform.gcp.defaultMachinePool.encryptionKey settings (see [1])
          2. "create cluster" (or "create manifests")    

      Actual results:

          ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: platform.gcp.defaultMachinePool.encryptionKey.kmsKey.keyRing: Invalid value: "openshiftqe": failed to find key ring openshiftqe
      

      Expected results:

          There should be no error, after granting the GCP credential in use the required role/permissions.
      

      Additional info:

      Initially we noticed the error, and then tried with "gcloud" command which tells PERMISSION_DENIED. 
      
      $ gcloud kms keyrings describe openshiftqe --location global
      ERROR: (gcloud.kms.keyrings.describe) PERMISSION_DENIED: Permission 'cloudkms.keyRings.get' denied on resource 'projects/openshift-qe/locations/global/keyRings/openshiftqe' (or it may not exist). This command is authenticated as aos-qe-serviceaccount@openshift-qe.iam.gserviceaccount.com which is the active account specified by the [core/account] property.
      
      So we granted the required role/permissions to the GCP credential in use (see [2]), and finally the "gcloud" command is able to describe the keyring.
      
      $ gcloud kms keyrings describe openshiftqe --location global
      createTime: '2019-09-11T09:16:31.778820230Z'
      name: projects/openshift-qe/locations/global/keyRings/openshiftqe
      $ gcloud kms keys get-iam-policy openshiftqe --keyring openshiftqe --location global
      bindings:
      - members:
        - serviceAccount:aos-qe-serviceaccount@openshift-qe.iam.gserviceaccount.com
        - serviceAccount:osd-ccs-admin@openshift-qe.iam.gserviceaccount.com
        - serviceAccount:service-1042363005003@compute-system.iam.gserviceaccount.com
        role: roles/cloudkms.cryptoKeyEncrypterDecrypter
      etag: BwYJJXEGrZs=
      version: 1
      $ gcloud config get account
      aos-qe-serviceaccount@openshift-qe.iam.gserviceaccount.com
      $ gcloud config get project
      openshift-qe
      $ 
      
      But, 4.19 installer "create cluster" (or "create manifests") still tells the error, although 4.18 installer can work (see [3]). 

              rh-ee-bbarbach Brent Barbachem
              rhn-support-jiwei Jianli Wei
              None
              None
              Jianli Wei Jianli Wei
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: