Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.16, 4.17, 4.18, 4.19, 4.20, 4.21
Component/s: Cloud Credential Operator
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Critical
Regression:
None

Target Backport Versions:
None
Target Version:

4.19.z
Release Blocker:
Proposed
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This is a clone of issue OCPBUGS-63546. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-63541. The following is the description of the original issue:
—
Description of problem:

    The ccoctl aws commands always generate a new keypair when the private key file does not exist in the output dir. This forces the user to get the private key from the cluster when performing day-2 ccoctl operations. The private key is only needed for pre-install processes where there is no public key to be obtained from the cluster. And, we want to avoid forcing the user to download the private key as that poses security concerns.

Version-Release number of selected component (if applicable):

    4.20

How reproducible:

    Always

Steps to Reproduce:

    1. Install an AWS cluster.
    2. Follow the process[1] to enable token based authentication
    3. 10.4.3 Step 2.ii - ./ccoctl aws create-identity-provider
     
[1] https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/postinstallation_configuration/changing-cloud-credentials-configuration#post-install-enable-token-auth_changing-cloud-credentials-configuration

Actual results:

$ ccoctl aws create-all --output-dir "${CLUSTER_NAME}" \
  --name "${CLUSTER_NAME}" \
  --region "${CLUSTER_LOCATION}" \
  --credentials-requests-dir "${CLUSTER_NAME}/creds/aws"
2025/10/24 12:43:38 Generating RSA keypair
2025/10/24 12:43:39 Writing private key to jstueversts3186/serviceaccount-signer.private
2025/10/24 12:43:39 Writing public key to jstueversts3186/serviceaccount-signer.public

Expected results:

$ ccoctl aws create-all --output-dir "${CLUSTER_NAME}" \
  --name "${CLUSTER_NAME}" \
  --region "${CLUSTER_LOCATION}" \
  --credentials-requests-dir "${CLUSTER_NAME}/creds/aws"
2025/10/24 13:01:05 Using existing RSA keypair found at jstueversts3186/serviceaccount-signer.public

Additional info:

blocks

OCPBUGS-63548 ccoctl aws always generates new keys when the private key file is missing

clones

OCPBUGS-63546 ccoctl aws always generates new keys when the private key file is missing

POST

is blocked by

OCPBUGS-63546 ccoctl aws always generates new keys when the private key file is missing

POST

is cloned by

OCPBUGS-63548 ccoctl aws always generates new keys when the private key file is missing

links to

openshift/cloud-credential-operator#937: [release-4.19] OCPBUGS-63547: ccoctl: add public-key-file flag to create-all

Assignee:: Jeremiah Stuever

Reporter:: Jeremiah Stuever

Need Info From:: None

Contributors:: None

QA Contact:: Jianping Shu

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/10/24 10:37 PM

Updated:: 2025/10/31 5:57 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates