-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
4.16, 4.17, 4.18, 4.19, 4.20, 4.21
-
None
-
Quality / Stability / Reliability
-
False
-
-
2
-
Critical
-
None
-
None
-
None
-
None
-
OSDOCS Sprint 279
-
1
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
All of the day-2 uses of the ccoctl utility to create-all (gcp, aws, azure) should use the public-key-file flag to specify that the public key (previously retrieved from the cluster) already exists and to ensure a new keypair is not generated.
Version-Release number of selected component (if applicable):
4.20
How reproducible:
always
Steps to Reproduce:
- 10.1.1. Rotating AWS OIDC bound service account signer keys
- ccoctl aws create-identity-provider
- 10.1.2. Rotating Google Cloud OIDC bound service account signer keys
- ccoctl gcp create-workload-identity-provider
- 10.1.3. Rotating Azure OIDC bound service account signer keys
- ccoctl aws create-identity-provider
- 2.2.4. Updating cloud provider resources with the Cloud Credential Operator utility
- ccoctl aws create-all
- ccoctl gcp create-all
- ccoctl azure create-managed-identities
Actual results:
New keypair is generated. As a result, when applied to the keys.json in the cloud provider bucket, the cluster operators immediately begin failing to authenticate to the cloud provider.
Expected results:
Existing public key is used and operators do not experience authentication failures.
Additional info:
- depends on
-
-
- ON_QA
-
-
-
- ON_QA
-