Undefined Description of problem:
An unexpected credential request yaml file - 0000_30_cluster-api_01_credentials-request.yaml is created when running "oc adm release extract --credentials-requests --cloud=azure".
Version-Release number of selected component (if applicable):
Client Version: 4.22.0-0.nightly-2026-03-04-220328 Kustomize Version: v5.7.1
How reproducible:
Always
Steps to Reproduce:
1. install-config.yaml file looks like:
$ cat install-config.yaml
apiVersion: v1
baseDomain: qe.azure.devcluster.openshift.com
compute:
- hyperthreading: Enabled
name: worker
platform: {}
replicas: 3
controlPlane:
hyperthreading: Enabled
name: master
platform: {}
replicas: 3
metadata:
creationTimestamp: null
name: qe-jialiu
networking:
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
machineCIDR: 10.0.0.0/16
serviceNetwork:
- 172.30.0.0/16
credentialsMode: Manual
platform:
azure:
region: westus2
userTags:
expiration_date: 2026-03-03T18:13+00:00
baseDomainResourceGroupName: os4-common
networkResourceGroupName: ci-op-ls2d409k-eb20d-rg
virtualNetwork: ci-op-ls2d409k-eb20d-vnet
controlPlaneSubnet: ci-op-ls2d409k-eb20d-master-subnet
computeSubnet: ci-op-ls2d409k-eb20d-worker-subnet-0
resourceGroupName: ci-op-ls2d409k-eb20d
2.$ oc adm release extract --credentials-requests --cloud=azure --to=./ --included --install-config=./install-config.yaml registry.ci.openshift.org/ocp/release:4.22.0-0.nightly-2026-03-04-220328
Extracted release payload from digest sha256:aa4b84b4a1af6d665272e4fb05b38b6d8f74f01d6e3081ca00b0d67be03a1504 created at 2026-03-04T22:06:31Z
Actual results:
An unexpected file - 0000_30_cluster-api_01_credentials-request.yaml is created. $ ll total 68 -rw-r--r--. 1 root root 2199 Mar 5 10:43 0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml -rw-r--r--. 1 root root 3905 Mar 5 10:43 0000_30_cluster-api_01_credentials-request.yaml -rw-r--r--. 1 root root 2706 Mar 5 10:43 0000_30_machine-api-operator_00_credentials-request.yaml -rw-r--r--. 1 root root 2660 Mar 5 10:43 0000_50_cluster-image-registry-operator_01-registry-credentials-request-azure.yaml -rw-r--r--. 1 root root 1011 Mar 5 10:43 0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml -rw-r--r--. 1 root root 1097 Mar 5 10:43 0000_50_cluster-network-operator_02-cncc-credentials.yaml -rw-r--r--. 1 root root 2424 Mar 5 10:43 0000_50_cluster-storage-operator_03_credentials_request_azure_file.yaml -rw-r--r--. 1 root root 2048 Mar 5 10:43 0000_50_cluster-storage-operator_03_credentials_request_azure.yaml $ cat 0000_30_cluster-api_01_credentials-request.yaml --- apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: annotations: capability.openshift.io/name: CloudCredential exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: ClusterAPIMachineManagement name: openshift-cluster-api-azure namespace: openshift-cloud-credential-operator spec: cloudTokenPath: /var/run/secrets/azure/tokens providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: AzureProviderSpec permissions: - Microsoft.ApiManagement/service/groups/delete - Microsoft.ApiManagement/service/groups/read - Microsoft.ApiManagement/service/groups/write - Microsoft.ApiManagement/service/workspaces/tags/read - Microsoft.ApiManagement/service/workspaces/tags/write - Microsoft.Authorization/roleAssignments/read - Microsoft.Authorization/roleAssignments/write - Microsoft.Compute/availabilitySets/delete - Microsoft.Compute/availabilitySets/write - Microsoft.Compute/disks/delete - Microsoft.Compute/images/read - Microsoft.Compute/images/write - Microsoft.Compute/locations/diskOperations/read - Microsoft.Compute/skus/read - Microsoft.Compute/virtualMachineScaleSets/delete - Microsoft.Compute/virtualMachineScaleSets/read - Microsoft.Compute/virtualMachineScaleSets/write - Microsoft.Compute/virtualMachines/extensions/write - Microsoft.ContainerService/managedClusters/agentPools/write - Microsoft.ContainerService/managedClusters/delete - Microsoft.ContainerService/managedClusters/write - Microsoft.Network/applicationSecurityGroups/delete - Microsoft.Network/applicationSecurityGroups/read - Microsoft.Network/applicationSecurityGroups/write - Microsoft.Network/bastionHosts/delete - Microsoft.Network/bastionHosts/write - Microsoft.Network/loadBalancers/inboundNatRules/delete - Microsoft.Network/loadBalancers/inboundNatRules/write - Microsoft.Network/natGateways/delete - Microsoft.Network/natGateways/read - Microsoft.Network/natGateways/write - Microsoft.Network/networkInterfaces/delete - Microsoft.Network/networkInterfaces/read - Microsoft.Network/networkInterfaces/write - Microsoft.Network/networkSecurityGroups/delete - Microsoft.Network/networkSecurityGroups/read - Microsoft.Network/networkSecurityGroups/write - Microsoft.Network/privateDnsZones/delete - Microsoft.Network/privateDnsZones/write - Microsoft.Network/privateEndpoints/delete - Microsoft.Network/privateEndpoints/write - Microsoft.Network/publicIPAddresses/delete - Microsoft.Network/publicIPAddresses/read - Microsoft.Network/publicIPAddresses/write - Microsoft.Network/routeTables/delete - Microsoft.Network/routeTables/read - Microsoft.Network/routeTables/write - Microsoft.Network/virtualNetworks/delete - Microsoft.Network/virtualNetworks/delete - Microsoft.Network/virtualNetworks/read - Microsoft.Network/virtualNetworks/subnets/delete - Microsoft.Network/virtualNetworks/subnets/read - Microsoft.Network/virtualNetworks/subnets/write - Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read - Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write - Microsoft.Network/virtualNetworks/write - Microsoft.Resourcehealth/healthevent/action - Microsoft.Resources/subscriptions/resourceGroups/delete - Microsoft.Resources/subscriptions/resourceGroups/read - Microsoft.Resources/subscriptions/resourceGroups/write - Microsoft.ClassicStorage/storageAccounts/vmImages/read - Microsoft.ClassicStorage/storageAccounts/vmImages/write secretRef: name: capz-manager-bootstrap-credentials namespace: openshift-cluster-api serviceAccountNames: - capi-controllers
Expected results:
0000_30_cluster-api_01_credentials-request.yaml should not be created in a default featureSet cluster install.
Additional info:
1. Discussed with capi team (https://redhat-internal.slack.com/archives/C05KZA3NVU6/p1772640526068109), sounds like https://github.com/openshift/oc/blob/4aebabfa7bfd7c68f4b06601246daad782741070/pkg/cli/admin/release/extract_tools.go#L1284-L1288 gets out of date.
2. Because of this issue, azure oidc step (https://gcsweb-qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/qe-private-deck/logs/periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-oidc-managed-identity-system-f14/2029232429696290816/artifacts/azure-ipi-oidc-managed-identity-system-f14/ipi-conf-azure-oidc-creds-provision/build-log.txt) failed like:
2026/03/04 16:57:38 Created user-assigned managed identity /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourcegroups/ci-op-izswycjq-eb20d-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ci-op-izswycjq-eb20d-openshift-cluster-api-capz-manager-bootstrap-credentials
2026/03/04 16:57:39 error ensuring custom role: PUT https://management.azure.com/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/providers/Microsoft.Authorization/roleDefinitions/e51f1cbb-c2e0-4036-aca0-314a9ba18806
--------------------------------------------------------------------------------
RESPONSE 400: 400 Bad Request
ERROR CODE: InvalidActionOrNotAction
--------------------------------------------------------------------------------
{
"error": {
"code": "InvalidActionOrNotAction",
"message": "'Microsoft.Resourcehealth/healthevent/action' does not match any of the actions supported by the providers."
}
}
