-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
4.19.z
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
When CAPA is enabled, it enables the capa-validating-webhook-configuration validating webhook. With this webhook, we see the following error in the hypershift operator.
{"level":"error","ts":"2025-06-19T14:18:44Z","msg":"Failed to reconcile NodePool","controller":"nodepool","controllerGroup":"hypershift.openshift.io","controllerKind":"NodePool","NodePool":{"name":"acmqe-hc-32a95cbb9b194d81-us-east-1a","namespace":"clusters"},"namespace":"clusters","name":"acmqe-hc-32a95cbb9b194d81-us-east-1a","reconcileID":"fcfe593f-dcd1-4f90-afdd-9a5161bb72cc","error":"admission webhook \"validation.awsmachinetemplate.infrastructure.cluster.x-k8s.io\" denied the request: AWSMachineTemplate.infrastructure.cluster.x-k8s.io \"acmqe-hc-32a95cbb9b194d81-us-east-1a-c6a50e4e\" is invalid: spec.template.spec.cloudInit.secureSecretsBackend: Forbidden: cannot be set if spec.template.spec.cloudInit.insecureSkipSecretsManager is true","stacktrace":"github.com/openshift/hypershift/hypershift-operator/controllers/nodepool.(*NodePoolReconciler).Reconcile\n\t/hypershift/hypershift-
Version-Release number of selected component (if applicable):
How reproducible:
In this case, CAPA is enabled via MCE as a component. However, as I understand, CAPA can also be enabled through OCP FeatureGate.
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
- is related to
-
ACM-21708 CAPI/CAPA webhooks block hosted cluster deployments
-
- Closed
-