-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
4.16, 4.17, 4.18, 4.19, 4.20, 4.21
Description of problem:
The ccoctl aws commands always generate a new keypair when the private key file does not exist in the output dir. This forces the user to get the private key from the cluster when performing day-2 ccoctl operations. The private key is only needed for pre-install processes where there is no public key to be obtained from the cluster. And, we want to avoid forcing the user to download the private key as that poses security concerns.
Version-Release number of selected component (if applicable):
4.20
How reproducible:
Always
Steps to Reproduce:
1. Install an AWS cluster.
2. Follow the process[1] to enable token based authentication
3. 2.2.4 Step 1 - ccoctl aws create-all
[1] https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/updating_clusters/preparing-to-update-a-cluster#cco-ccoctl-upgrading_preparing-manual-creds-update
Actual results:
$ ccoctl aws create-all --output-dir "${CLUSTER_NAME}" \
--name "${CLUSTER_NAME}" \
--region "${CLUSTER_LOCATION}" \
--credentials-requests-dir "${CLUSTER_NAME}/creds/aws"
2025/10/24 12:43:38 Generating RSA keypair
2025/10/24 12:43:39 Writing private key to jstueversts3186/serviceaccount-signer.private
2025/10/24 12:43:39 Writing public key to jstueversts3186/serviceaccount-signer.public
Expected results:
$ ccoctl aws create-all --output-dir "${CLUSTER_NAME}" \
--name "${CLUSTER_NAME}" \
--region "${CLUSTER_LOCATION}" \
--credentials-requests-dir "${CLUSTER_NAME}/creds/aws" \
--public-key-file "${CLUSTER_NAME}/service-signer.public"
Additional info:
- blocks
-
-
- POST
-
- is cloned by
-
-
- POST
-
- is depended on by
-
-
- ASSIGNED
-
- links to