Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.21, 4.22
Component/s: Installer / openshift-installer
Labels:
- good-first-installer-issue

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Created azure vm and enabled system-assigned managed identity, assigned proper roles to this identity on scope of subscription level.
  
Prepare auth file osServicePrincipal.json which only contains subscriptionId and tenantId, followed by doc[1].

Then continued the installation, installer timed out while waiting for network infrastructure to be created. Checked on Azure portal, resource group hasn't even been created yet.

CI job with managed identity auth failed starting from 4.18 when https://github.com/openshift/installer/pull/8844 was merged, and error with "403 Key based authentication is not permitted on this storage account" was thrown out after network infrastructure creation is completed.

But on 4.21+, CI job failed earlier when creating network infrastructure resources.


[1] https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html-single/installing_on_azure/index#installation-initializing_installing-azure-customizations

Version-Release number of selected component (if applicable):

    4.21+

How reproducible:

    Always

Steps to Reproduce:

    1. Create azure vm and enabled system-assigned managed identity, and assign proper roles to the identity
    2. Install cluster
    3.

Actual results:

    Installation failed while creating network infrastructure resources and no resource was created.

Expected results:

    Installation succeeded.

Additional info:

1.  Failed jobs on 4.21+
https://qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gs/qe-private-deck/logs/periodic-ci-openshift-verification-tests-main-installation-nightly-4.21-azure-ipi-oidc-managed-identity-system-f14/2012058974823649280

2. Failed jobs on 4.20 and earlier versions
https://qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gs/qe-private-deck/logs/periodic-ci-openshift-verification-tests-main-installation-nightly-4.20-azure-ipi-oidc-managed-identity-system-f14/2002555523861319680
https://qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gs/qe-private-deck/logs/periodic-ci-openshift-verification-tests-main-installation-nightly-4.19-azure-ipi-oidc-managed-identity-user-defined-mini-perm-f14/2010827123475877888

3. Installation succeeded with PR installer#9851 if clientID for system-assigned managed identity is set in osServicePrincipal.json file

Assignee:: Unassigned

Reporter:: Jinyun Ma

QA Contact:: Jinyun Ma

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2026/01/22 2:06 AM

Updated:: 2026/01/29 6:12 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates