Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.19.z
Component/s: Cloud Credential Operator
Labels:
- IPI
- aws
- cee.next_proposed
- credentials
- installer
- openshift

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

When provisioning a cluster using openshift-install create cluster directly (without ccoctl or custom credential configuration), the resulting CloudCredential resource (cloudcredential.cluster) is created with an empty .spec.credentialsMode field.
This leads to CredentialRequests failing to sync, especially in environments where explicit mode is required (e.g., disconnected or restricted environments).
Expected behavior is that the installer should default this value to a valid mode (Mint, Passthrough, or Manual) based on platform context or error if undefined.

Version-Release number of selected component (if applicable):

    4.19

How reproducible:

100%

Steps to Reproduce:

1. Prepare a standard install-config.yaml for AWS or another cloud platform.

2. Run: openshift-install create cluster --dir mycluster --log-level debug

3. After master comes up, access the cluster and observe the credential mode:

   oc get cloudcredential cluster -o yaml
   spec:
     credentialsMode: ""

Actual results:

The cluster operator says unable to sync creds


# oc get co
NAME                                       VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication                             4.19.0    False       True          True       9m47s   OAuthServerServiceEndpointAccessibleControllerAvailable: Get "https://172.30.151.169:443/healthz": dial tcp 172.30.151.169:443: connect: connection refused...
baremetal                                  4.19.0    True        False         False      8m56s   
cloud-controller-manager                   4.19.0    True        False         False      11m     
cloud-credential                           4.19.0    True        True          True       13m     6 of 6 credentials requests are failing to sync.

CR shows value as empty:

# oc get cloudcredential cluster -o yaml
apiVersion: operator.openshift.io/v1
kind: CloudCredential
metadata:
  creationTimestamp: "2025-06-23T04:17:55Z"
  generation: 1
  name: cluster
  resourceVersion: "519"
  uid: c1de6b47-ea45-449f-a3a7-4c718859257a
spec:
  credentialsMode: ""
  logLevel: Normal
  operatorLogLevel: Normal

No secrete created in cloud-credential-operator namespace.

# oc get secret -n openshift-cloud-credential-operator aws-creds -o yaml
Error from server (NotFound): secrets "aws-creds" not found

Expected results:

 Installation should not fail.

Additional info:

Assignee:: Jeremiah Stuever

Reporter:: Chinmay Deshpande

Need Info From:: None

Contributors:: None

QA Contact:: Jianping Shu

Doc Contact:: None

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/06/23 5:00 AM

Updated:: 2025/07/11 1:37 PM

Resolved:: 2025/06/30 4:07 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide