-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.19.z
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
The ValidAWSIdentityProvider status is always False when KAS is not up, as it's needed to mint the tokens. This results in the following status:
Last Transition Time: 2025-10-21T11:25:10Z
Message: WebIdentityErr
Observed Generation: 1
Reason: InvalidIdentityProvider
Status: False
Type: ValidAWSIdentityProvider
This is a prominent case during cluster provisions and/or situations where both apiserver pods are down.
This status is a major red herring the service providers.
Version-Release number of selected component (if applicable):
How reproducible:
100%
Steps to Reproduce:
1. Scale down KAS
2. Watch ValidAWSIdentityProvider condition
1. Create cluster
2. Watch ValidAWSIdentityProvider condition & the emitted metric (hypershift_cluster_invalid_aws_creds)
Actual results:
Status is False and metric is 1 with message "WebIdentityErr" even though token minting never happened, so it's unclear if the AWS IDP is valid or not.
Expected results:
Status is Unknown, metric is 2 (unknown - see https://github.com/openshift/hypershift/pull/7075)
Additional info:
- is duplicated by
-
-
- Closed
-