Identity Provider Status stuck in CREATING

kubernetes-sigs / cluster-api-provider-aws

Kubernetes Cluster API Provider AWS provides consistent deployment and day 2 operations of "self-managed" and EKS Kubernetes clusters on AWS.

http://cluster-api-aws.sigs.k8s.io/

Apache License 2.0

636 stars 561 forks source link

Identity Provider Status stuck in CREATING #5123

Open jas-nik opened 2 days ago

jas-nik commented 2 days ago

/kind bug

What steps did you take and what happened: Provision AWS managed control plane with Identity provider config. We are currently using Azure Active Directory (AAD) as our Identity provider.

Checking the status in AWS console shows the Status as Active but AWS Managed Control plane status shows the status stuck in CREATING phase.

We use CAPA in combination with ArgoCD and due to Identity Provider Config status stuck in CREATING phase, we are unable to use this to check the status of ManagedControlPlane readiness

What did you expect to happen: Identity Provider status in AWS Managed Control Plane status change to "Active/Provisioned/Created"

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

Cluster-api-provider-aws version: 2.6.1
Kubernetes version: (use kubectl version): 1.29
OS (e.g. from /etc/os-release): ubuntu

dlipovetsky commented 2 days ago

/triage accepted

/priority important-longterm

/help

k8s-ci-robot commented 2 days ago

@dlipovetsky: This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

Why are we solving this issue?
To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
Does this issue have zero to low barrier of entry?
How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to [this](https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/5123): >/triage accepted > >/priority important-longterm > >/help Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

jas-nik commented 2 days ago

/assign @jas-nik

adammw commented 1 day ago

Guessing this is related but in reverse for us - the CRD is marked as Ready before the identity provider is provisioned, and AFAICT there are no EKSControlPlaneUpdating Condition or events to know this occurs, and our workflow continues on after seeing the CRD ready and then gets an error due to the AssociateIdentityProviderConfig not being finished.