OCPBUGS-33566: AWS STS should not error when a credentailsRequest does not have awsSTSIAMRoleARN

[jstuever]

When the operator in manual STS mode is attempting to reconcile a credentialRequest, it should not be throwing errors for credentialRequests that do not have awsSTSIAMRoleARN. Instead, it should be quietly ignoring them as they are not configured to be reconciled with STS.

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-33566, which is invalid:

• expected the bug to target the "4.17.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/703): >When the operator in manual STS mode is attempting to reconcile a credentialRequest, it should not be throwing errors for credentialRequests that do not have awsSTSIAMRoleARN. Instead, it should be quietly ignoring them as they are not configured to be reconciled with STS. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcloud-credential-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[jstuever]

/jira refresh

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-33566, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

* bug is open, matching expected state (open) * bug target version (4.17.0) matches configured target version for branch (4.17.0) * bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @jianping-shu

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/703#issuecomment-2121170199): >/jira refresh Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcloud-credential-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[codecov[bot]]

Codecov Report

Attention: Patch coverage is 50.00000% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 48.35%. Comparing base (48b287d) to head (6516137). Report is 2 commits behind head on master.

Additional details and impacted files

[](https://app.codecov.io/gh/openshift/cloud-credential-operator/pull/703?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=openshift) ```diff @@ Coverage Diff @@ ## master #703 +/- ## ======================================= Coverage 48.34% 48.35% ======================================= Files 96 96 Lines 11799 11797 -2 ======================================= Hits 5704 5704 + Misses 5462 5460 -2 Partials 633 633 ``` | [Files](https://app.codecov.io/gh/openshift/cloud-credential-operator/pull/703?dropdown=coverage&src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=openshift) | Coverage Δ | | |---|---|---| | [pkg/aws/actuator/actuator.go](https://app.codecov.io/gh/openshift/cloud-credential-operator/pull/703?src=pr&el=tree&filepath=pkg%2Faws%2Factuator%2Factuator.go&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=openshift#diff-cGtnL2F3cy9hY3R1YXRvci9hY3R1YXRvci5nbw==) | `64.06% <50.00%> (+0.15%)` | :arrow_up: |

[jianping-shu]

/retest

[jianping-shu]

Reproduced the issue with 4.15 AWS STS cluster jianpingshu@jshu-mac ~ % oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.15.0-0.nightly-2024-05-21-032108 True False 9m21s Cluster version is 4.15.0-0.nightly-2024-05-21-032108 jianpingshu@jshu-mac ~ % oc -n openshift-cloud-credential-operator get -o json credentialsrequests | jq -r '.items[] | select(tostring | contains("InfrastructureMismatch") | not) | .metadata.name as $n | .status.conditions // [{type: "NoConditions"}] | .[] | .type + "=" + .status + " " + $n + " " + .reason + ": " + .message' | sort CredentialsProvisionFailure=True aws-ebs-csi-driver-operator CredentialsProvisionFailure: failed to grant creds: an empty awsSTSIAMRoleARN was found so no Secret was created CredentialsProvisionFailure=True cloud-credential-operator-iam-ro CredentialsProvisionFailure: failed to grant creds: an empty awsSTSIAMRoleARN was found so no Secret was created CredentialsProvisionFailure=True openshift-cloud-network-config-controller-aws CredentialsProvisionFailure: failed to grant creds: an empty awsSTSIAMRoleARN was found so no Secret was created CredentialsProvisionFailure=True openshift-image-registry CredentialsProvisionFailure: failed to grant creds: an empty awsSTSIAMRoleARN was found so no Secret was created CredentialsProvisionFailure=True openshift-ingress CredentialsProvisionFailure: failed to grant creds: an empty awsSTSIAMRoleARN was found so no Secret was created CredentialsProvisionFailure=True openshift-machine-api-aws CredentialsProvisionFailure: failed to grant creds: an empty awsSTSIAMRoleARN was found so no Secret was created

Verified with cluster-bot build, AWS STS cluster installed successfully jianpingshu@jshu-mac ~ % oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.16.0-0.ci.test-2024-05-21-084849-ci-ln-xvfsg3t-latest True False 23m Cluster version is 4.16.0-0.ci.test-2024-05-21-084849-ci-ln-xvfsg3t-latest jianpingshu@jshu-mac ~ % oc -n openshift-cloud-credential-operator get -o json credentialsrequests | jq -r '.items[] | select(tostring | contains("InfrastructureMismatch") | not) | .metadata.name as $n | .status.conditions // [{type: "NoCon ditions"}] | .[] | .type + "=" + .status + " " + $n + " " + .reason + ": " + .message' | sort NoConditions= aws-ebs-csi-driver-operator : NoConditions= cloud-credential-operator-iam-ro : NoConditions= openshift-cloud-network-config-controller-aws : NoConditions= openshift-image-registry : NoConditions= openshift-ingress : NoConditions= openshift-machine-api-aws :

[jstuever]

/assign @dlom

[jstuever]

/cherry-pick release-4.16

[openshift-cherrypick-robot]

@jstuever: once the present PR merges, I will cherry-pick it on top of release-4.16 in a new PR and assign it to you.

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/703#issuecomment-2123329887): >/cherry-pick release-4.16 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[dlom]

/lgtm

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom, jstuever

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/cloud-credential-operator/blob/master/OWNERS)~~ [dlom,jstuever] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD bd04f09e339ef2aec5d90a67d1ce35771927c830 and 2 for PR HEAD 65161371de9a6307b6897eea0afed3da7f04588c in total

[jstuever]

/skip ci/prow/security

[jstuever]

/override ci/prow/security

[openshift-ci[bot]]

@jstuever: Overrode contexts on behalf of jstuever: ci/prow/security

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/703#issuecomment-2123555740): >/override ci/prow/security Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[openshift-ci[bot]]

@jstuever: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).

[openshift-ci-robot]

@jstuever: Jira Issue OCPBUGS-33566: All pull requests linked via external trackers have merged:

• openshift/cloud-credential-operator#703

Jira Issue OCPBUGS-33566 has been moved to the MODIFIED state.

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/703): >When the operator in manual STS mode is attempting to reconcile a credentialRequest, it should not be throwing errors for credentialRequests that do not have awsSTSIAMRoleARN. Instead, it should be quietly ignoring them as they are not configured to be reconciled with STS. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcloud-credential-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[openshift-cherrypick-robot]

@jstuever: new pull request created: #704

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/703#issuecomment-2123329887): >/cherry-pick release-4.16 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cloud-credential-operator-container-v4.17.0-202405212243.p0.g2f29d91.assembly.stream.el9 for distgit ose-cloud-credential-operator. All builds following this will include this PR.