-
Bug
-
Resolution: Done-Errata
-
Critical
-
4.19.0
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
Yes
-
None
-
Proposed
-
None
-
Done
-
Bug Fix
-
-
None
-
None
-
None
-
None
Description of problem:
With valid encryptionKey.kmsKey.keyRing, the installer always tells "failed to find key ring".
Version-Release number of selected component (if applicable):
4.19.0-0.nightly-multi-2025-03-02-183028
How reproducible:
Always
Steps to Reproduce:
1. "create install-config", then edit the install-config.yaml to insert platform.gcp.defaultMachinePool.encryptionKey settings (see [1]) 2. "create cluster" (or "create manifests")
Actual results:
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: platform.gcp.defaultMachinePool.encryptionKey.kmsKey.keyRing: Invalid value: "openshiftqe": failed to find key ring openshiftqe
Expected results:
There should be no error, after granting the GCP credential in use the required role/permissions.
Additional info:
Initially we noticed the error, and then tried with "gcloud" command which tells PERMISSION_DENIED. $ gcloud kms keyrings describe openshiftqe --location global ERROR: (gcloud.kms.keyrings.describe) PERMISSION_DENIED: Permission 'cloudkms.keyRings.get' denied on resource 'projects/openshift-qe/locations/global/keyRings/openshiftqe' (or it may not exist). This command is authenticated as aos-qe-serviceaccount@openshift-qe.iam.gserviceaccount.com which is the active account specified by the [core/account] property. So we granted the required role/permissions to the GCP credential in use (see [2]), and finally the "gcloud" command is able to describe the keyring. $ gcloud kms keyrings describe openshiftqe --location global createTime: '2019-09-11T09:16:31.778820230Z' name: projects/openshift-qe/locations/global/keyRings/openshiftqe $ gcloud kms keys get-iam-policy openshiftqe --keyring openshiftqe --location global bindings: - members: - serviceAccount:aos-qe-serviceaccount@openshift-qe.iam.gserviceaccount.com - serviceAccount:osd-ccs-admin@openshift-qe.iam.gserviceaccount.com - serviceAccount:service-1042363005003@compute-system.iam.gserviceaccount.com role: roles/cloudkms.cryptoKeyEncrypterDecrypter etag: BwYJJXEGrZs= version: 1 $ gcloud config get account aos-qe-serviceaccount@openshift-qe.iam.gserviceaccount.com $ gcloud config get project openshift-qe $ But, 4.19 installer "create cluster" (or "create manifests") still tells the error, although 4.18 installer can work (see [3]).
- causes
-
OCPBUGS-54302 Require Cloud KMS Key Rings List Permission
-
- MODIFIED
-
- relates to
-
OCPBUGS-46488 [GCP] installer cannot detect/expose encryption keyring non-existing error
-
- Closed
-
- links to
-
RHEA-2024:11038 OpenShift Container Platform 4.19.z bug fix update