-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.20
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
Proposed
-
Installer Sprint 276, Installer Sprint 277, Installer Sprint 278
-
3
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Feature details are described in https://issues.redhat.com/browse/OCPSTRAT-2202. OCPSTRAT-2202 focuses on the document update, this bug is intended to track code changes in the installer repo (and machine API repo).
Besides the official update, the installer's minimum permission needs to be updated as well, if the feature need to be supported in 4.18-, we also need to update machine api.
| Version | Control Plane Nodes | Compute Nodes |
|---|---|---|
| 4.20 + |  Fail, kms:ReEncrypt* is missing from the min-permission list ( create permissions-policy command needs to know if byo-ami is encrypted by byo-kms key.) |
 PASS, resolved by https://github.com/openshift/machine-api-operator/pull/1370 |
| 4.19 | Fail, same as above |
PASS, resolved by https://github.com/openshift/machine-api-operator/pull/1371 |
| 4.18 - | Fail, same as above |
Fail, no backport of 1371 |
Version-Release number of selected component (if applicable):
4.20
How reproducible:
Always
Steps to Reproduce:
1. ${ami_id} was encrypted by ${kms_arn}
platform:
aws:
defaultMachinePlatform:
amiID: ${ami_id}
rootVolume:
kmsKeyARN: ${kms_arn}
2.
3.
Actual results:
The control plane machine can not go into the running state.
Expected results:
cluster install success.
Additional info:
- relates to
-
CORS-4026 BYO encrypted AMIs on AWS
-
- Testing
-
- links to